| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Daniel Farina <daniel(at)heroku(dot)com>, Noah Misch <noah(at)leadboat(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Cross-backend signals and administration (Was: Re: pg_terminate_backend for same-role) |
| Date: | 2012-03-27 00:19:21 |
| Message-ID: | 20717.1332807561@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> I think the more important question is a policy question: do we want
> it to work like this? It seems like a policy question that ought to
> be left to the DBA, but we have no policy management framework for
> DBAs to configure what they do or do not wish to allow. Still, if
> we've decided it's OK to allow cancelling, I don't see any real reason
> why this should be treated differently.
Right now the only thing you can do to lock down pg_cancel_backend is
to make sure non-mutually-trusting users aren't given the same user ID.
Which, well, duh. Somebody with your user ID can probably do a lot more
damage than just cancelling your queries/sessions.
I do wonder though (and am too lazy to go look) whether the
pg_cancel_backend check is a strict user ID match or it allows
member-of-role matches. We might want to think a bit more carefully
about the implications if it's the latter.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2012-03-27 01:11:21 | Re: Command Triggers patch v18 |
| Previous Message | Tom Lane | 2012-03-27 00:11:41 | Re: Odd out of memory problem. |