Re: [HACKERS] Function to kill backend - Mailing list pgsql-patches

From Andrew Dunstan
Subject Re: [HACKERS] Function to kill backend
Date
Msg-id 406EE17E.4020103@dunslane.net
Whole thread Raw
List pgsql-patches

Magnus Hagander wrote:

>
>
>>I think any such facility is inherently a security risk, since it means
>>
>>
>>that a remote attacker who's managed to break into your superuser
>>account can randomly zap other backends.  Now admittedly there's plenty
>>
>>
>>of other mischief he can do with superuser privs, but that doesn't mean
>>
>>
>>we should hand him a pre-loaded, pre-sighted cannon.
>>Having to log into the database server locally to execute such
>>operations doesn't seem that bad to me.
>>
>>
>
>It does to me. I prefer being able to admin the server without having to
>do a separate login. I also much prefer being able to delegate the
>capability to terminate a backend, interrupt a long-running query, etc
>to someone who does not have to have shell access on the server. I guess
>it depends on the environment.
>
>
>
>>Bruce Momjian <pgman@candle.pha.pa.us> writes:
>>
>>
>
>
>
>>>If they can read/write your data (as superuser), killing backends is
>>>
>>>
>the
>
>
>>>least worry.
>>>
>>>
>
>That's pretty much the assumption I was working under.
>
>
>

Perhaps for the paranoid we could invent a setting which turns the
facility off. Personally, I don't usually allow a superuser *any* access
except from the local host - maybe that would be an answer.

cheers

andrew


pgsql-patches by date:

Previous
From: Fabien COELHO
Date:
Subject: Re: hint infrastructure setup (v3)
Next
From: "Magnus Hagander"
Date:
Subject: Re: MSFT compiler fixes + misc