On Thu, Feb 4, 2021 at 3:27 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Tomas Vondra <tomas.vondra@enterprisedb.com> writes:
> > On 2/3/21 4:08 PM, Tom Lane wrote:
> >> I'm disinclined to think that this is a good idea from a security
> >> perspective. Maybe if it's superuser-only it'd be ok (since a
> >> superuser would have other routes to discovering the value anyway).
>
> > Is the postmaster PID really sensitive? Users with OS access can just
> > list the processes, and for users without OS access / privileges it's
> > mostly useless, no?
>
> We disallow ordinary users from finding out the data directory location,
> even though that should be equally useless to unprivileged users. The
> postmaster PID seems like the same sort of information. It does not
> seem like a non-administrator could have any but nefarious use for that
> value. (Admittedly, this argument is somewhat weakened by exposing
> child processes' PIDs ... but you can't take down the whole installation
> by zapping a child process.)
>
> I'm basically in the same place you are in your other response: the
> question to ask is not "why not allow this?", but "why SHOULD we allow
> this?"
If we still think that the new function pg_postgres_pid() is useful in
some ways to the users or developers, then we can have it as a
superuser only function and error out for non-super users.
Thoughts?
With Regards,
Bharath Rupireddy.
EnterpriseDB: http://www.enterprisedb.com