Re: pg_cancel_backend by non-superuser

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Daniel Farina <daniel(at)heroku(dot)com>
Cc: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: pg_cancel_backend by non-superuser
Date: 2011-10-01 04:30:45
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

Daniel Farina <daniel(at)heroku(dot)com> writes:
> This patch would appear(?) to have languished:

> I'd really like to see it included. In the last comments of the
> review, there seem to be problems in *terminate* backend, but even
> just pg_cancel_backend as non-superuser would be just a huge
> improvement. What are the things blocking non-superuser
> pg_cancel_backend from being accepted?

I think the reason the patch stalled is that we have not got consensus
on how far to extend the conditions under which these operations should
be allowed. For instance, in the last comment attached to that
commitfest entry, Noah alleges that a non-superuser database owner
should be allowed to kill a superuser's session, if it's connected
to his database. My reaction to that is somewhere between "no" and
"hell no"; IMO superusers can mess up non-superusers, never vice versa.
If I recall the discussion correctly, there were other points of
contention too.

I don't think we need more coding right now ... we need somebody to
write a spec that everyone can agree to.

ISTM it would be reasonably non-controversial to allow users to issue
pg_cancel_backend against other sessions logged in as the same userID.
The question is whether to go further than that, and if so how much.

regards, tom lane

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Torello Querci 2011-10-01 05:44:44 Re: pg_cancel_backend by non-superuser
Previous Message Tom Lane 2011-10-01 04:03:31 Re: Re: Optimizing pg_trgm makesign() (was Re: WIP: Fast GiST index build)