On Tue, Jan 30, 2007 at 04:31:19PM -0500, Mark Stosberg wrote:
> >From my own testing, that doesn't seem to be true. I connect as a user
> that owns the database it's connecting to (and all objects in it), and
> that seems to be sufficient.

There are a number of pieces that work without being a superuser, as
you note.  It would be _nice_ if we worked out a system in which we
could isolate exactly those parts that actually need superuser
access, and differentiate them.  So far, there hasn't been enough
interest.

> adding in the PL/pgSQL language, but it doesn't seem to be necessary
> for the ongoing replication process.

Well, there are also postential cross-machine issues where different
permissions might come up, not to mention the DDL parts which mess
with the system tables in order to disable triggers and the like.  If
we had fully worked out when escalated permissions were needed, I
suppose we could create slony-priv and slony-nopriv interfaces, to
try to improve the security some.  It's not plain to me that this
would be a real improvement, though, since if the black hats get
access to your replication user, things have already gone well into
disaster-recovery land anyway.

A

> 
> (Or have I just not run into a hidden danger of not being a super-user?)
> 
>    Mark
> 
> _______________________________________________
> Slony1-general mailing list
> Slony1-general at gborg.postgresql.org
> http://gborg.postgresql.org/mailman/listinfo/slony1-general

-- 
Andrew Sullivan  | ajs at crankycanuck.ca
Everything that happens in the world happens at some place.
		--Jane Jacobs