On 2014-12-05 09:28:13 -0500, Stephen Frost wrote: > static int > pg_signal_backend(int pid, int sig) > { > @@ -113,7 +117,12 @@ pg_signal_backend(int pid, int sig) > return SIGNAL_BACKEND_ERROR; > } > > - if (!(superuser() || proc->roleId == GetUserId())) > + /* Only allow superusers to signal superuser-owned backends. */ > + if (superuser_arg(proc->roleId) && !superuser()) > + return SIGNAL_BACKEND_NOSUPERUSER; > + > + /* Users can signal backends they have role membership in. */ > + if (!has_privs_of_role(GetUserId(), proc->roleId)) > return SIGNAL_BACKEND_NOPERMISSION; > > /* > @@ -141,35 +150,49 @@ pg_signal_backend(int pid, int sig) > }
Is the 'Only allow superusers to signal superuser-owned backends' check actually safe that way? I personally try to never use a superuser role as the login user, but grant my account a superuser role that doesn't inherit. But IIRC PGPROC->roleId won't change, even if a user does SET ROLE. Greetings, Andres Freund -- Andres Freund http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers