| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Josh Berkus <josh(at)agliodbs(dot)com> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pg_stat_replication security |
| Date: | 2011-01-17 10:51:45 |
| Message-ID: | AANLkTi=JH0mAK64kS0PNHOaF60R=UmQ_CyF-0m115rXO@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sun, Jan 16, 2011 at 21:57, Josh Berkus <josh(at)agliodbs(dot)com> wrote:
>
>>> I suggest instead either "superuser" or "replication" permissions.
>>
>> That's another idea.
>
> Oh, wait. I take that back ... we're trying to encourage users NOT to
> use the "replication" user as a login, yes?
yeah.
Here's a patch that limits it to superuser only. We can't easily match
it to the user of the session given the way the walsender data is
returned - it doesn't contain the user information. But limiting it to
superuser only seems perfectly reasonable and in line with the
encouragement not to use the replication user for login.
Objections?
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| Attachment | Content-Type | Size |
|---|---|---|
| stat_replication_secure.patch | text/x-patch | 1.6 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Golub | 2011-01-17 10:54:52 | Re: Warning compiling pg_dump (MinGW, Windows XP) |
| Previous Message | Magnus Hagander | 2011-01-17 10:44:35 | Re: walreceiver fallback_application_name |