From: | Bryn Llewellyn <bryn(at)yugabyte(dot)com> |
---|---|
To: | Christophe Pettus <xof(at)thebuild(dot)com> |
Cc: | Tom Lane PostgreSQL <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, pgsql-general list <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Is it possible to stop sessions killing eachother when they all authorize as the same role? |
Date: | 2022-09-13 19:46:23 |
Message-ID: | 1BAB354D-E563-4091-A5BE-0F2050919883@yugabyte.com |
Views: | Whole Thread | Raw Message | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
> xof(at)thebuild(dot)com wrote:
>
>> bryn(at)yugabyte(dot)com wrote:
>>
>> What are you seeing that I'm failing to?
>
> It works correctly for me, on MacOS:
>
> create user r1;
> revoke execute on function pg_terminate_backend from r1;
>
> (reconnect as r1)
>
> select pg_terminate_backend(123);
>
> ERROR: permission denied for function pg_terminate_backend
Yes—this is what you all say. I suspect some-or-other setting that I’m unaware of. I tried (part of) Tom's test, thus:
\c postgres postgres
drop user if exists joe;
create user joe;
\c - joe
At first, the attempt to connect as "joe" failed for me because I had hardened my "postgres" database thus:
revoke all on database postgres from public;
alter database postgres connection limit = 0;
I say this only to emphasize that there are always things that are critical that are elided in a testcase that tries to be minimal.
So it seems that there's something critical about my env that I'm failing to tell you all. But what can it be?
I just recruited a colleague to try Tom's minimal test. He saw what I did. That "joe" *is* able to invoke "pg_terminate_backend()" even after revoking execute on it from public. So he's doing the same pilot error as me.
From | Date | Subject | |
---|---|---|---|
Next Message | Guillaume Lelarge | 2022-09-13 19:57:55 | Re: Is it possible to stop sessions killing eachother when they all authorize as the same role? |
Previous Message | Marcos Pegoraro | 2022-09-13 19:45:25 | get user info on log |