On 2014-06-10 11:40:25 -0400, Tom Lane wrote:
> Andres Freund <andres@2ndquadrant.com> writes:
> > On 2014-06-10 11:14:43 -0400, Tom Lane wrote:
> >> Because it would convert the intended behavior (postmaster and only
> >> postmaster is exempt from OOM kill) into a situation where possibly
> >> all of the database processes are exempt from OOM kill, at the whim
> >> of somebody who should not have the privilege to decide that.
>
> > Meh^3. By that argument we need to forbid superusers to create any form
> > of untrusted functions. Forbid anything that does malloc(), system(),
> > fork(), whatever from a user's influence.
>
> That's utter and complete nonsense. We're discussing an operation that is
> root-privileged (ie, lowering a process's OOM score), not random stuff
> that unprivileged processes can do.
Oh, comeon. Tom. You a) conveniently left of the part where I said that
the user can execute code from the postmaster. b) fork() can be used to
escape the oom killer. c) Lots of much worse things can be done to the
system with arbitrary system calls than adjusting oom_score_adj.
The postmaster can currently change oom_score_adj. Users can run code as
a postmaster. Simple as that.
Besides, as demonstrated in
http://www.postgresql.org/message-id/20140610154536.GN8406@alap3.anarazel.de
postmaster children can already reset their score.
Greetings,
Andres Freund
-- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services