On Thu, Feb 4, 2021 at 3:27 AM Tom Lane <t...@sss.pgh.pa.us> wrote: > > Tomas Vondra <tomas.von...@enterprisedb.com> writes: > > On 2/3/21 4:08 PM, Tom Lane wrote: > >> I'm disinclined to think that this is a good idea from a security > >> perspective. Maybe if it's superuser-only it'd be ok (since a > >> superuser would have other routes to discovering the value anyway). > > > Is the postmaster PID really sensitive? Users with OS access can just > > list the processes, and for users without OS access / privileges it's > > mostly useless, no? > > We disallow ordinary users from finding out the data directory location, > even though that should be equally useless to unprivileged users. The > postmaster PID seems like the same sort of information. It does not > seem like a non-administrator could have any but nefarious use for that > value. (Admittedly, this argument is somewhat weakened by exposing > child processes' PIDs ... but you can't take down the whole installation > by zapping a child process.) > > I'm basically in the same place you are in your other response: the > question to ask is not "why not allow this?", but "why SHOULD we allow > this?"
If we still think that the new function pg_postgres_pid() is useful in some ways to the users or developers, then we can have it as a superuser only function and error out for non-super users. Thoughts? With Regards, Bharath Rupireddy. EnterpriseDB: http://www.enterprisedb.com
