On Fri, Apr 05, 2024 at 07:56:56AM -0500, Nathan Bossart wrote: > On Fri, Apr 05, 2024 at 02:39:05PM +0900, Michael Paquier wrote: >> One thing that we should definitely not do is letting any user calling >> pg_signal_backend() know that a given PID maps to an autovacuum >> worker. This information is hidden in pg_stat_activity. And >> actually, doesn't the patch leak this information to all users when >> calling pg_signal_backend with random PID numbers because of the fact >> that SIGNAL_BACKEND_NOAUTOVACUUM exists? Any role could guess which >> PIDs are used by an autovacuum worker because of the granularity >> required for the error related to pg_signal_autovacuum. > > Hm. I hadn't considered that angle. IIUC right now they'll just get the > generic superuser error for autovacuum workers. I don't know how concerned > to be about users distinguishing autovacuum workers from other superuser > backends, _but_ if roles with pg_signal_autovacuum can't even figure out > the PIDs for the autovacuum workers, then this feature seems kind-of > useless. Perhaps we should allow roles with privileges of > pg_signal_autovacuum to see the autovacuum workers in pg_stat_activity.
There is pg_read_all_stats as well, so I don't see a big issue in requiring to be a member of this role as well for the sake of what's proposing here. I'd rather not leak any information at the end for anybody calling pg_signal_backend without access to the stats, so checking the backend type after the role sounds kind of a safer long-term approach for me. -- Michael
signature.asc
Description: PGP signature
