On 09/30/2017 10:32 PM, Andres Freund wrote: > Hi, > > On 2017-09-30 22:28:39 -0400, Andrew Dunstan wrote: >>>> But even after fixing that, there unfortunately is: >>>> >>>> static void >>>> set_sig(char *signame) >>>> { >>>> … >>>> #if 0 >>>> /* probably should NOT provide SIGKILL */ >>>> else if (strcmp(signame, "KILL") == 0) >>>> sig = SIGKILL; >>>> #endif >>>> >>>> I'm unclear on what that provision is achieving? If you can kill with >>>> pg_ctl you can do other nasty stuff too (like just use kill instead of >>>> pg_ctl)? >> >> I put it in when we rewrote pg_ctl in C many years ago, possibly out of >> a superabundance of caution. I agree it's worth revisiting. I think the >> idea was that there's a difference between an ordinary footgun and an >> officially sanctioned footgun :-) > Heh. I'm inclined to take it out. We could add a --use-the-force-luke > type parameter, but it doesn't seem worth it. > > >
I agree, but I think we need this discussed on -hackers. Does anyone have an objection to allowing "pg_ctl kill KILL somepid"? As Andres points out, in most places you can just call kill from the command line anyway, so disallowing it is not really a security feature. Having it would let us have portable crash restart tests. cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers