Re: Allow non-superuser to cancel superuser tasks.

On Thu, Apr 04, 2024 at 12:30:51AM +0000, Leung, Anthony wrote:
>> if (pg_stat_is_backend_autovac_worker(proc->backendId) &&
>> !has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_AUTOVACUUM))
>> return SIGNAL_BACKEND_NOAUTOVACUUM;
>
> I tried to add them above the existing code. When I test it locally, a
> user without pg_signal_autovacuum will actually fail at this block
> because the user is not superuser and !OidIsValid(proc->roleId) is also
> true in the following:

Good catch.

> This is what Im planning to do - If the backend is autovacuum worker and
> the user is not superuser or has pg_signal_autovacuum role, we return the
> new value and provide the relevant error message
>
> /*
> * If the backend is autovacuum worker, allow user with privileges of the
> * pg_signal_autovacuum role to signal the backend.
> */
> if (pgstat_get_backend_type(proc->backendId) == B_AUTOVAC_WORKER)
> {
> if (!has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_AUTOVACUUM) || !superuser())
> return SIGNAL_BACKEND_NOAUTOVACUUM;
> }
> /*
> * Only allow superusers to signal superuser-owned backends. Any process
> * not advertising a role might have the importance of a superuser-owned
> * backend, so treat it that way.
> */
> else if ((!OidIsValid(proc->roleId) || superuser_arg(proc->roleId)) &&
> !superuser())
> {
> return SIGNAL_BACKEND_NOSUPERUSER;
> }
> /* Users can signal backends they have role membership in. */
> else if (!has_privs_of_role(GetUserId(), proc->roleId) &&
> !has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_BACKEND))
> {
> return SIGNAL_BACKEND_NOPERMISSION;
> }

There's no need for the explicit superuser() check in the
pg_signal_autovacuum section. That's built into has_privs_of_role()
already.

--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com