Tue Jan 30 13:40:34 PST 2007
- Previous message: [Slony1-general] REPLICATIONUSER really needs to be super-user?
- Next message: [Slony1-general] REPLICATIONUSER really needs to be super-user?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Jan 30, 2007 at 04:31:19PM -0500, Mark Stosberg wrote: > >From my own testing, that doesn't seem to be true. I connect as a user > that owns the database it's connecting to (and all objects in it), and > that seems to be sufficient. There are a number of pieces that work without being a superuser, as you note. It would be _nice_ if we worked out a system in which we could isolate exactly those parts that actually need superuser access, and differentiate them. So far, there hasn't been enough interest. > adding in the PL/pgSQL language, but it doesn't seem to be necessary > for the ongoing replication process. Well, there are also postential cross-machine issues where different permissions might come up, not to mention the DDL parts which mess with the system tables in order to disable triggers and the like. If we had fully worked out when escalated permissions were needed, I suppose we could create slony-priv and slony-nopriv interfaces, to try to improve the security some. It's not plain to me that this would be a real improvement, though, since if the black hats get access to your replication user, things have already gone well into disaster-recovery land anyway. A > > (Or have I just not run into a hidden danger of not being a super-user?) > > Mark > > _______________________________________________ > Slony1-general mailing list > Slony1-general at gborg.postgresql.org > http://gborg.postgresql.org/mailman/listinfo/slony1-general -- Andrew Sullivan | ajs at crankycanuck.ca Everything that happens in the world happens at some place. --Jane Jacobs
- Previous message: [Slony1-general] REPLICATIONUSER really needs to be super-user?
- Next message: [Slony1-general] REPLICATIONUSER really needs to be super-user?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Slony1-general mailing list