On Friday, December 16, 2011, Robert Haas wrote:

> On Fri, Dec 16, 2011 at 1:21 AM, Greg Smith 
> <g...@2ndquadrant.com<javascript:;>>
> wrote:
> > This is a problem with the existing code though, and the proposed changes
> > don't materially alter that; there's just another quick check in one path
> > through.  Right now we check if someone is superuser, then if it's a
> backend
> > PID, then we send the signal.  If you assume someone can run through all
> the
> > PIDs between those checks and the kill, the system is already broken that
> > way.
> From a theoretical point of view, I believe it to be slightly
> different.  If a superuser sends a kill, they will certainly be
> authorized to kill whatever they end up killing, because they are
> authorized to kill anything.  On the other hand, the proposed patch

Not necessarily. What if it's recycled as a backend in a different postgres
installation. Or just a cronjob or shell running as the same user?

Sure, you can argue that the superuser can destroy anything he wants - but
in that case, why do we have a check for this at all in the first place?

I think we can safely say that any OS that actually manages to recycle the
PID in the short time it takes to get between those instructions is so
broken we don't need to care about that.

Reply via email to