Magnus Hagander wrote:
I think any such facility is inherently a security risk, since it means
that a remote attacker who's managed to break into your superuser
account can randomly zap other backends. Now admittedly there's plenty
of other mischief he can do with superuser privs, but that doesn't mean
we should hand him a pre-loaded, pre-sighted cannon. Having to log into the database server locally to execute such
operations doesn't seem that bad to me.
It does to me. I prefer being able to admin the server without having to do a separate login. I also much prefer being able to delegate the capability to terminate a backend, interrupt a long-running query, etc to someone who does not have to have shell access on the server. I guess it depends on the environment.
Bruce Momjian <[EMAIL PROTECTED]> writes:
theIf they can read/write your data (as superuser), killing backends is
least worry.
That's pretty much the assumption I was working under.
Perhaps for the paranoid we could invent a setting which turns the facility off. Personally, I don't usually allow a superuser *any* access except from the local host - maybe that would be an answer.
cheers
andrew
---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend
