Re: Function to kill backend

Bruce Momjian wrote:
> Tom Lane wrote:
>> Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
>> > Seems like useful functionality. Right now, how does an administrator
>> > kill another backend from psql? They can't.
>>
>> The question to ask is "should they be able to?"
>>
>> I think any such facility is inherently a security risk, since it means
>> that a remote attacker who's managed to break into your superuser
>> account can randomly zap other backends. Now admittedly there's plenty
>> of other mischief he can do with superuser privs, but that doesn't mean
>> we should hand him a pre-loaded, pre-sighted cannon.
>>
>> Having to log into the database server locally to execute such
>> operations doesn't seem that bad to me.
>
> If they can read/write your data (as superuser), killing backends is the
> least worry.

Even as superuser, they still need to get a lock to drop the table. So
killing other backends will ...

This is so pointless. If an attacker manages to become superuser in the
compromised database, what good are restrictions against killing
backends? I agree that it should be restricted to backends, with an
identification based on Xid and SIGINT. But that's it.

Jan

--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#================================================== JanWieck(at)Yahoo(dot)com #