Re: Streaming replication as a separate permissions

On tor, 2010-12-23 at 17:29 -0500, Tom Lane wrote:
> Josh Berkus <josh@agliodbs.com> writes:
> > On 12/23/10 2:21 PM, Tom Lane wrote:
> >> Well, that's one laudable goal here, but "secure by default" is another
> >> one that ought to be taken into consideration.
> 
> > I don't see how *not* granting the superuser replication permissions
> > makes things more secure.  The superuser can grant replication
> > permissions to itself, so why is suspending them by default beneficial?
> >  I'm not following your logic here.
> 
> Well, the reverse of that is just as true: if we ship it without
> replication permissions on the postgres user, people can change that if
> they'd rather not create a separate role for replication.  But I think
> we should encourage people to NOT do it that way.  Setting it up that
> way by default hardly encourages use of a more secure arrangement.

I think this argument is a bit inconsistent in the extreme.  You might
as well argue that a superuser shouldn't have any permissions by
default, to discourage users from using it.  They can always grant
permissions back to it.  I don't see why this particular one is so
different.

If we go down this road, we'll end up with a mess of permissions that a
superuser has and doesn't have.