Magnus Hagander wrote:
>
>
>>I think any such facility is inherently a security risk, since it means
>>
>>
>>that a remote attacker who's managed to break into your superuser
>>account can randomly zap other backends. Now admittedly there's plenty
>>
>>
>>of other mischief he can do with superuser privs, but that doesn't mean
>>
>>
>>we should hand him a pre-loaded, pre-sighted cannon.
>>Having to log into the database server locally to execute such
>>operations doesn't seem that bad to me.
>>
>>
>
>It does to me. I prefer being able to admin the server without having to
>do a separate login. I also much prefer being able to delegate the
>capability to terminate a backend, interrupt a long-running query, etc
>to someone who does not have to have shell access on the server. I guess
>it depends on the environment.
>
>
>
>>Bruce Momjian <pgman@candle.pha.pa.us> writes:
>>
>>
>
>
>
>>>If they can read/write your data (as superuser), killing backends is
>>>
>>>
>the
>
>
>>>least worry.
>>>
>>>
>
>That's pretty much the assumption I was working under.
>
>
>
Perhaps for the paranoid we could invent a setting which turns the
facility off. Personally, I don't usually allow a superuser *any* access
except from the local host - maybe that would be an answer.
cheers
andrew