Re: refusing connections based on load ...

Tom Lane <tgl@sss.pgh.pa.us> writes:

> On Linux and BSD it seems to be more common to put /dev/kmem into a
> specialized group "kmem", so running postgres as setgid kmem is not so
> immediately dangerous.  Still, do you think it's a good idea to let an
> attacker have open-ended rights to read your kernel memory?  It wouldn't
> take too much effort to sniff passwords, for example.

On Linux you can get the load average by doing `cat /proc/loadavg'.
On NetBSD you can get the load average via a sysctl.  On those systems
and others the uptime program is neither setuid nor setgid.

> A less dangerous way of approaching it might be to have an option
> whereby the postmaster invokes 'uptime' via system() every so often
> (maybe once a minute?) and throttles on the basis of the results.
> The reaction time would be poorer, but security would be a whole lot
> better.

That is the way to do it on systems where obtaining the load average
requires special privileges.  But do you really need the load average
once a minute?  The load average printed by uptime is just as accurate
as the load average obtained by examining the kernel.

Ian

---------------------------(end of broadcast)---------------------------
TIP 652: Life is a serious burden, which no thinking, humane person would
wantonly inflict on someone else.    -- Clarence Darrow