On Friday, December 16, 2011, Robert Haas wrote:
On Fri, Dec 16, 2011 at 1:21 AM, Greg Smith <greg@2ndquadrant.com> wrote:
> This is a problem with the existing code though, and the proposed changes
> don't materially alter that; there's just another quick check in one path
> through. Right now we check if someone is superuser, then if it's a backend
> PID, then we send the signal. If you assume someone can run through all the
> PIDs between those checks and the kill, the system is already broken that
> way.
>From a theoretical point of view, I believe it to be slightly
different. If a superuser sends a kill, they will certainly be
authorized to kill whatever they end up killing, because they are
authorized to kill anything. On the other hand, the proposed patch
Not necessarily. What if it's recycled as a backend in a different postgres installation. Or just a cronjob or shell running as the same user?
Sure, you can argue that the superuser can destroy anything he wants - but in that case, why do we have a check for this at all in the first place?
I think we can safely say that any OS that actually manages to recycle the PID in the short time it takes to get between those instructions is so broken we don't need to care about that.