On 2014-12-05 09:28:13 -0500, Stephen Frost wrote:
> static int
> pg_signal_backend(int pid, int sig)
> {
> @@ -113,7 +117,12 @@ pg_signal_backend(int pid, int sig)
> return SIGNAL_BACKEND_ERROR;
> }
>
> - if (!(superuser() || proc->roleId == GetUserId()))
> + /* Only allow superusers to signal superuser-owned backends. */
> + if (superuser_arg(proc->roleId) && !superuser())
> + return SIGNAL_BACKEND_NOSUPERUSER;
> +
> + /* Users can signal backends they have role membership in. */
> + if (!has_privs_of_role(GetUserId(), proc->roleId))
> return SIGNAL_BACKEND_NOPERMISSION;
>
> /*
> @@ -141,35 +150,49 @@ pg_signal_backend(int pid, int sig)
> }
Is the 'Only allow superusers to signal superuser-owned backends' check
actually safe that way? I personally try to never use a superuser role
as the login user, but grant my account a superuser role that doesn't
inherit. But IIRC PGPROC->roleId won't change, even if a user does SET
ROLE.
Greetings,
Andres Freund
-- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services