prevent non-superuser terminate bgworker running as superuser
Hi All,
Currently, BackgroundWorker connected to a database by calling
BackgroundWorkerInitializeConnection with username as NULL can be
terminated by non-superuser with pg_signal_backend privilege. When the
username is NULL the bgworker process runs as superuser (which is
expected as per the documentation -
https://www.postgresql.org/docs/current/bgworker.html ), but can the
non-superuser (with pg_signal_backend) terminate this superuser owned
process?
We (Mahendrakar and Myself) think that this is a bug and proposing a
fix that sets MyProc->roleId to BOOTSTRAP_SUPERUSERID, similar to
InitializeSessionUserId, to prevent non-superuser terminating it.
Please let us know your comments.
Thanks,
Hemanth Sandrana
Attachments:
v1-0001-prevent-non-superuser-terminating-superuser-owned.patchapplication/octet-stream; name=v1-0001-prevent-non-superuser-terminating-superuser-owned.patchDownload+3-1
This seems like it should even be considered a security honestly.
On Thu, 19 Oct 2023, 19:49 Hemanth Sandrana, <hemanthforpostgres@gmail.com>
wrote:
Show quoted text
Hi All,
Currently, BackgroundWorker connected to a database by calling
BackgroundWorkerInitializeConnection with username as NULL can be
terminated by non-superuser with pg_signal_backend privilege. When the
username is NULL the bgworker process runs as superuser (which is
expected as per the documentation -
https://www.postgresql.org/docs/current/bgworker.html ), but can the
non-superuser (with pg_signal_backend) terminate this superuser owned
process?
We (Mahendrakar and Myself) think that this is a bug and proposing a
fix that sets MyProc->roleId to BOOTSTRAP_SUPERUSERID, similar to
InitializeSessionUserId, to prevent non-superuser terminating it.Please let us know your comments.
Thanks,
Hemanth Sandrana