Re: Allow non-superuser to cancel superuser tasks. - Mailing list pgsql-hackers

From Nathan Bossart
Subject Re: Allow non-superuser to cancel superuser tasks.
Date
Msg-id 20240404181533.GA3885243@nathanxps13
Whole thread Raw
In response to Re: Allow non-superuser to cancel superuser tasks.  ("Leung, Anthony" <antholeu@amazon.com>)
Responses Re: Allow non-superuser to cancel superuser tasks.
List pgsql-hackers
On Thu, Apr 04, 2024 at 12:30:51AM +0000, Leung, Anthony wrote:
>>    if (pg_stat_is_backend_autovac_worker(proc->backendId) &&
>>        !has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_AUTOVACUUM))
>>        return SIGNAL_BACKEND_NOAUTOVACUUM;
> 
> I tried to add them above the existing code. When I test it locally, a
> user without pg_signal_autovacuum will actually fail at this block
> because the user is not superuser and !OidIsValid(proc->roleId) is also
> true in the following:

Good catch.

> This is what Im planning to do - If the backend is autovacuum worker and
> the user is not superuser or has pg_signal_autovacuum role, we return the
> new value and provide the relevant error message
> 
>               /*
>      * If the backend is autovacuum worker, allow user with privileges of the 
>                * pg_signal_autovacuum role to signal the backend.
>      */
>     if (pgstat_get_backend_type(proc->backendId) == B_AUTOVAC_WORKER)
>     {
>         if (!has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_AUTOVACUUM) || !superuser())
>             return SIGNAL_BACKEND_NOAUTOVACUUM;
>     }
>     /*
>      * Only allow superusers to signal superuser-owned backends.  Any process
>      * not advertising a role might have the importance of a superuser-owned
>      * backend, so treat it that way.
>     */
>     else if ((!OidIsValid(proc->roleId) || superuser_arg(proc->roleId)) &&
>              !superuser())
>     {
>         return SIGNAL_BACKEND_NOSUPERUSER;
>     }
>     /* Users can signal backends they have role membership in. */
>     else if (!has_privs_of_role(GetUserId(), proc->roleId) &&
>              !has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_BACKEND))
>     {
>         return SIGNAL_BACKEND_NOPERMISSION;
>     }

There's no need for the explicit superuser() check in the
pg_signal_autovacuum section.  That's built into has_privs_of_role()
already.

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com



pgsql-hackers by date:

Previous
From: Jacob Champion
Date:
Subject: Re: WIP Incremental JSON Parser
Next
From: Bruce Momjian
Date:
Subject: Re: Reports on obsolete Postgres versions