Magnus Hagander wrote:

I think any such facility is inherently a security risk, since it means

that a remote attacker who's managed to break into your superuser
account can randomly zap other backends. Now admittedly there's plenty

of other mischief he can do with superuser privs, but that doesn't mean

we should hand him a pre-loaded, pre-sighted cannon. Having to log into the database server locally to execute such
operations doesn't seem that bad to me.

It does to me. I prefer being able to admin the server without having to do a separate login. I also much prefer being able to delegate the capability to terminate a backend, interrupt a long-running query, etc to someone who does not have to have shell access on the server. I guess it depends on the environment.

Bruce Momjian <[EMAIL PROTECTED]> writes:

If they can read/write your data (as superuser), killing backends is


least worry.

That's pretty much the assumption I was working under.

Perhaps for the paranoid we could invent a setting which turns the facility off. Personally, I don't usually allow a superuser *any* access except from the local host - maybe that would be an answer.



---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend

Reply via email to