diff --git a/doc/src/sgml/high-availability.sgml b/doc/src/sgml/high-availability.sgml index 86c2729..c5db6ef 100644 *** a/doc/src/sgml/high-availability.sgml --- b/doc/src/sgml/high-availability.sgml *************** *** 797,819 **** archive_cleanup_command = 'pg_archivecleanup /path/to/archive %r' It is very important that the access privileges for replication be set up so that only trusted users can read the WAL stream, because it is easy to extract privileged information from it. Standby servers must ! authenticate to the primary as an account that has the ! REPLICATION privilege. So a role with the ! REPLICATION and LOGIN privileges needs to be ! created on the primary. - - - It is recommended that a dedicated user account is used for replication. - While the REPLICATION privilege is granted to superuser - accounts by default, it is not recommended to use superuser accounts - for replication. While REPLICATION privilege gives very high - permissions, it does not allow the user to modify any data on the - primary system, which the SUPERUSER privilege does. - - - Client authentication for replication is controlled by a pg_hba.conf record specifying replication in the --- 797,810 ---- It is very important that the access privileges for replication be set up so that only trusted users can read the WAL stream, because it is easy to extract privileged information from it. Standby servers must ! authenticate to the primary as a superuser or an account that has the ! REPLICATION privilege. It is recommended to create a ! dedicated user account with REPLICATION and LOGIN ! privileges for replication. While REPLICATION privilege gives ! very high permissions, it does not allow the user to modify any data on ! the primary system, which the SUPERUSER privilege does. Client authentication for replication is controlled by a pg_hba.conf record specifying replication in the diff --git a/doc/src/sgml/recovery-config.index 8647024..7e39c0d 100644 *** a/doc/src/sgml/recovery-config.sgml --- b/doc/src/sgml/recovery-config.sgml *************** *** 325,333 **** restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"' # Windows The connection string should specify the host name (or address) of the primary server, as well as the port number if it is not the same as the standby server's default. ! Also specify a user name corresponding to a role that has the ! REPLICATION and LOGIN privileges on the ! primary (see ). A password needs to be provided too, if the primary demands password authentication. It can be provided in the --- 325,332 ---- The connection string should specify the host name (or address) of the primary server, as well as the port number if it is not the same as the standby server's default. ! Also specify a user name corresponding to a suitably-privileged role ! on the primary (see ). A password needs to be provided too, if the primary demands password authentication. It can be provided in the diff --git a/doc/src/sgml/ref/create_rolindex 4953df6..7ec4d0a 100644 *** a/doc/src/sgml/ref/create_role.sgml --- b/doc/src/sgml/ref/create_role.sgml *************** *** 185,192 **** CREATE ROLE name [ [ WITH ] REPLICATION attribute is a very highly privileged role, and should only be used on roles actually used for replication. If not specified, ! NOREPLICATION is the default for all roles except ! superusers. --- 185,191 ---- A role having the REPLICATION attribute is a very highly privileged role, and should only be used on roles actually used for replication. If not specified, ! NOREPLICATION is the default. diff --git a/doc/src/sgml/ref/pg_basebacindex 8c8c78f..05d5bed 100644 *** a/doc/src/sgml/ref/pg_basebackup.sgml --- b/doc/src/sgml/ref/pg_basebackup.sgml *************** *** 50,61 **** PostgreSQL documentation The backup is made over a regular PostgreSQL ! connection, and uses the replication protocol. The connection must be ! made with a user having REPLICATION permissions (see ! ), and the user must be granted explicit ! permissions in pg_hba.conf. The server must also ! be configured with set high enough ! to leave at least one session available for the backup. --- 50,62 ---- The backup is made over a regular PostgreSQL ! connection, and uses the replication protocol. The connection must be made ! with a superuser or a user having REPLICATION ! permissions (see ), ! and pg_hba.conf must explicitly permit the replication ! connection. The server must also be configured ! with set high enough to leave at least ! one session available for the backup. diff --git a/doc/src/sgml/ref/pg_receivexlindex 9a2a24b..fad7470 100644 *** a/doc/src/sgml/ref/pg_receivexlog.sgml --- b/doc/src/sgml/ref/pg_receivexlog.sgml *************** *** 50,62 **** PostgreSQL documentation The transaction log is streamed over a regular ! PostgreSQL connection, and uses the ! replication protocol. The connection must be ! made with a user having REPLICATION permissions (see ! ), and the user must be granted explicit ! permissions in pg_hba.conf. The server must also ! be configured with set high enough ! to leave at least one session available for the stream. --- 50,62 ---- The transaction log is streamed over a regular ! PostgreSQL connection, and uses the replication ! protocol. The connection must be made with a superuser or a user ! having REPLICATION permissions (see ! ), and pg_hba.conf ! must explicitly permit the replication connection. The server must also be ! configured with set high enough to ! leave at least one session available for the stream. diff --git a/doc/src/sgml/user-manag.sgml bindex 0a4f82d..177ac7a 100644 *** a/doc/src/sgml/user-manag.sgml --- b/doc/src/sgml/user-manag.sgml *************** *** 169,184 **** CREATE USER name; A database superuser bypasses all permission checks, except the right ! to log in or the right to initiate replication. This is a ! dangerous privilege and should not be used carelessly; it is best ! to do most of your work as a role that is not a superuser. ! To create a new database superuser, use CREATE ROLE ! name SUPERUSER. You must do ! this as a role that is already a superuser. Creating a superuser ! will by default also grant permissions to initiate streaming ! replication. For increased security this can be disallowed using ! CREATE ROLE name SUPERUSER ! NOREPLICATION. --- 169,179 ---- A database superuser bypasses all permission checks, except the right ! to log in. This is a dangerous privilege and should not be used ! carelessly; it is best to do most of your work as a role that is not a ! superuser. To create a new database superuser, use CREATE ! ROLE name SUPERUSER. You must do ! this as a role that is already a superuser. *************** *** 217,223 **** CREATE USER name; A role must explicitly be given permission to initiate streaming ! replication. A role used for streaming replication must always have LOGIN permission as well. To create such a role, use CREATE ROLE name REPLICATION LOGIN. --- 212,219 ---- A role must explicitly be given permission to initiate streaming ! replication (except for superusers, since those bypass all permission ! checks). A role used for streaming replication must always have LOGIN permission as well. To create such a role, use CREATE ROLE name REPLICATION LOGIN. diff --git a/src/backend/commands/uindex fa312cb..797e957 100644 *** a/src/backend/commands/user.c --- b/src/backend/commands/user.c *************** *** 239,254 **** CreateRole(CreateRoleStmt *stmt) if (dpassword && dpassword->arg) password = strVal(dpassword->arg); if (dissuper) - { issuper = intVal(dissuper->arg) != 0; - - /* - * Superusers get replication by default, but only if NOREPLICATION - * wasn't explicitly mentioned - */ - if (issuper && !(disreplication && intVal(disreplication->arg) == 0)) - isreplication = 1; - } if (dinherit) inherit = intVal(dinherit->arg) != 0; if (dcreaterole) --- 239,245 ---- diff --git a/src/backend/utils/iniindex 94f92dd..37696c2 100644 *** a/src/backend/utils/init/postinit.c --- b/src/backend/utils/init/postinit.c *************** *** 659,669 **** InitPostgres(const char *in_dbname, Oid dboid, const char *username, { Assert(!bootstrap); ! /* must have authenticated as a replication role */ ! if (!is_authenticated_user_replication_role()) ereport(FATAL, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), ! errmsg("must be replication role to start walsender"))); /* process any options passed in the startup packet */ if (MyProcPort != NULL) --- 659,668 ---- { Assert(!bootstrap); ! if (!superuser() && !is_authenticated_user_replication_role()) ereport(FATAL, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), ! errmsg("must be superuser or replication role to start walsender"))); /* process any options passed in the startup packet */ if (MyProcPort != NULL)