| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Christophe Pettus <xof(at)thebuild(dot)com> |
| Cc: | Bryn Llewellyn <bryn(at)yugabyte(dot)com>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, pgsql-general list <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Is it possible to stop sessions killing eachother when they all authorize as the same role? |
| Date: | 2022-09-13 21:10:58 |
| Message-ID: | 2384348.1663103458@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Christophe Pettus <xof(at)thebuild(dot)com> writes:
> It works correctly for me, on MacOS:
> swift-239:~ xof$ psql
> psql (14.5)
> Type "help" for help.
> xof=# create user r1;
> CREATE ROLE
> xof=# revoke execute on function pg_terminate_backend from r1;
> REVOKE
> xof=#
> \q
> swift-239:~ xof$ psql -U r1 xof
> psql (14.5)
> Type "help" for help.
> xof=> select pg_terminate_backend(123);
> ERROR: permission denied for function pg_terminate_backend
> xof=>
Hmm ... that should actually *not* have worked. pg_terminate_backend
has the default ACL for functions, namely GRANT EXECUTE TO PUBLIC.
If you revoke from a specific user, nothing will change because
the PUBLIC grant is still there and they can still use it.
Perhaps you'd already revoked from public in this database?
(I recall that somewhere we have some code that warns about no-op
grants. I wonder if issuing a warning for no-op revokes would be
helpful.)
Jeremy's nearby theory that the REVOKE was done in a different
database seems like a pretty good explanation of Bryn's issue.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christophe Pettus | 2022-09-13 21:26:31 | Re: Is it possible to stop sessions killing eachother when they all authorize as the same role? |
| Previous Message | Jeremy Smith | 2022-09-13 20:11:04 | Re: Is it possible to stop sessions killing eachother when they all authorize as the same role? |