> On Jan 30, 2023, at 7:44 AM, Robert Haas <robertmhaas@gmail.com> wrote:
>
> And if we suppose that
> that already works and is safe, well then what's the case where I do
> need a run-as user?
A) Alice publishes tables, and occasionally adds new tables to existing publications.
B) Bob manages subscriptions, and periodically runs "refresh publication". Bob also creates new subscriptions for
peoplewhen a row is inserted into the "please create a subscription for me" table which Bob owns, using a trigger that
Bobcreated on that table.
C) Alice creates a "please create a subscription for me" table on the publishing database, adds lots of malicious
requests,and adds that table to the publication.
D) Bob replicates the table, fires the trigger, creates the malicious subscriptions, and starts replicating all that
stuff,too.
I think that having Charlie, not Bob, as the "run-as" user helps somewhere right around (D).
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company