Tom Lane wrote:Bruce Momjian <[EMAIL PROTECTED]> writes: > Seems like useful functionality. Right now, how does an administrator > kill another backend from psql? They can't.
The question to ask is "should they be able to?"
I think any such facility is inherently a security risk, since it means that a remote attacker who's managed to break into your superuser account can randomly zap other backends. Now admittedly there's plenty of other mischief he can do with superuser privs, but that doesn't mean we should hand him a pre-loaded, pre-sighted cannon.
Having to log into the database server locally to execute such operations doesn't seem that bad to me.
If they can read/write your data (as superuser), killing backends is the least worry.
Even as superuser, they still need to get a lock to drop the table. So killing other backends will ...
This is so pointless. If an attacker manages to become superuser in the compromised database, what good are restrictions against killing backends? I agree that it should be restricted to backends, with an identification based on Xid and SIGINT. But that's it.
Jan
-- #======================================================================# # It's easier to get forgiveness for being wrong than for being right. # # Let's break this rule - forgive me. # #================================================== [EMAIL PROTECTED] #
---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives?
http://archives.postgresql.org
