On 2021/01/25 18:13, Bharath Rupireddy wrote:
> On Mon, Jan 25, 2021 at 1:20 PM Fujii Masao <masao.fujii@oss.nttdata.com> wrote:
>>> Yeah, connections can be discarded by non-super users using
>>> postgres_fdw_disconnect_all and postgres_fdw_disconnect. Given the
>>> fact that a non-super user requires a password to access foreign
>>> tables [1], IMO a non-super user changing something related to a super
>>> user makes no sense at all. If okay, we can have a check in
>>> disconnect_cached_connections something like below:
>>
>> Also like pg_terminate_backend(), we should disallow non-superuser to disconnect the connections established by
othernon-superuser if the requesting user is not a member of the other? Or that's overkill because the target to
discardis just a connection and it can be established again if necessary?
>
> Yes, if required backends can establish the connection again. But my
> worry is this - a non-super user disconnecting all or a given
> connection created by a super user?
Yes, I was also worried about that. But I found that there are other similar cases, for example,
- a cursor that superuser declared can be closed by non-superuser (set by SET ROLE or SET SESSION AUTHORIZATION) in the
samesession.
- a prepared statement that superuser created can be deallocated by non-superuser in the same session.
This makes me think that it's OK even for non-superuser to disconnect the connections established by superuser in the
samesession. For now I've not found any real security issue by doing that yet. Thought? Am I missing something?
Regards,
--
Fujii Masao
Advanced Computing Technology Center
Research and Development Headquarters
NTT DATA CORPORATION