Quick Links

Re: BUG #15182: Canceling authentication due to timeout aka Denial of Service Attack

From:	Michael Paquier <michael(at)paquier(dot)xyz>
To:	"Bossart, Nathan" <bossartn(at)amazon(dot)com>
Cc:	Kyotaro HORIGUCHI <horiguchi(dot)kyotaro(at)lab(dot)ntt(dot)co(dot)jp>, "andres(at)anarazel(dot)de" <andres(at)anarazel(dot)de>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "robertmhaas(at)gmail(dot)com" <robertmhaas(at)gmail(dot)com>, "Schneider, Jeremy" <schnjere(at)amazon(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "lalbin(at)scharp(dot)org" <lalbin(at)scharp(dot)org>
Subject:	Re: BUG #15182: Canceling authentication due to timeout aka Denial of Service Attack
Date:	2018-08-29 01:34:41
Message-ID:	20180829013441.GO29157@paquier.xyz
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-bugs pgsql-hackers

Hi all,

Here is a summary of what has happened since this thread has been
created. Three problems reported on this thread have been solved and
resulted in different commits for early lock lookups:
- VACUUM FULL, patched on 12~:
https://www.postgresql.org/message-id/20180812222142.GA6097@paquier.xyz
Commit a556549: Improve VACUUM and ANALYZE by avoiding early lock queue
- TRUNCATE, patched on 12~:
https://www.postgresql.org/message-id/20180806165816.GA19883@paquier.xyz
Commit f841ceb: Improve TRUNCATE by avoiding early lock queue
- REINDEX, patched on 11~:
https://www.postgresql.org/message-id/20180805211059.GA2185@paquier.xyz
Commit 661dd23: Restrict access to reindex of shared catalogs for
non-privileged users

Please note that I have been very conservative with the different fixes
as v11 is getting very close to release. The patch for REINDEX is a
behavior change which will not get further down anyway. It would still
be nice to get a second lookup at the code and look if there are other
suspicious calls of relation_open or such which could allow
non-privileged users to pile up locks and cause more DOS problems.

Thanks,
--
Michael

In response to

Re: BUG #15182: Canceling authentication due to timeout aka Denial of Service Attack at 2018-08-11 09:50:03 from Michael Paquier

Browse pgsql-bugs by date

	From	Date	Subject
Next Message	Thomas Munro	2018-08-29 01:38:03	Re: BUG #15350: Getting invalid cache ID: 11 Errors
Previous Message	Dean Rasheed	2018-08-28 19:05:13	Re: BUG #15307: Low numerical precision of (Co-) Variance

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Kyotaro HORIGUCHI	2018-08-29 02:04:34	Re: Reopen logfile on SIGHUP
Previous Message	Masahiko Sawada	2018-08-29 00:39:03	Re: Copy function for logical replication slots