On Wed, Sep 5, 2012 at 7:31 AM, Amit Kapila <amit.kap...@huawei.com> wrote:
> On Tuesday, September 04, 2012 12:40 AM Tom Lane wrote:
> Magnus Hagander <mag...@hagander.net> writes:
>> On Mon, Sep 3, 2012 at 8:51 PM, Tom Lane <t...@sss.pgh.pa.us> wrote:
>>>> I have another question after thinking about that for awhile: is there
>>>> any security concern there?  On Unix-oid systems, we expect the kernel
>>>> to restrict who can do a kill() on a postgres process.  If there's any
>>>> similar restriction on who can send to that named pipe in the Windows
>>>> version, it's not obvious from the code.  Do we have/need any
>>>> restriction there?
>>> We use the default for CreateNamedPipe() which is:
>>> " The ACLs in the default security descriptor for a named pipe grant
>>> full control to the LocalSystem account, administrators, and the
>>> creator owner. They also grant read access to members of the Everyone
>>> group and the anonymous account."
>>> (ref:
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa365150(v=vs.85).as
> px)
>> Hm.  The write protections sound fine ... but what's the semantics of
>> reading, is it like Unix pipes?  If so, couldn't a random third party
>> drain the pipe by reading from it, and thereby cause signals to be lost?
>   When a client connects to the server-end of a named pipe, the server-end
> of the pipe is now dedicated to the client. No
>   more connections will be allowed to that server pipe instance until the
> client has disconnected.

This is the main argument. yes. Each client gets it's own copy, so it
can't get drained.

>   So I think based on above 2 points it can be deduced that the signal sent
> by pgkill() cannot be read by anyone else.


Well, what someone else could do is create a pipe with our name before
we do (since we use the actual name - it's \\.\pipe\pgsinal_<pid>), by
guessing what pid we will have. If that happens, we'll go into a loop
and try to recreate it while logging a warning message to
eventlog/stderr. (this happens for every backend). We can't throw an
error on this and kill the backend because the pipe is created in the
background thread not the main one.

 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to