* Stephen Frost (sfr...@snowman.net) wrote: > Attached is a patch to address the pg_cancel/terminate_backend and the > statistics info as discussed previously. It sounds like we're coming to
And I forgot the attachment, of course. Apologies.
Thanks,
Stephen
diff --git a/src/backend/utils/adt/misc.c b/src/backend/utils/adt/misc.c
new file mode 100644
index 67539ec..6924fb7
*** a/src/backend/utils/adt/misc.c
--- b/src/backend/utils/adt/misc.c
***************
*** 37,42 ****
--- 37,43 ----
#include "utils/lsyscache.h"
#include "utils/ruleutils.h"
#include "tcop/tcopprot.h"
+ #include "utils/acl.h"
#include "utils/builtins.h"
#include "utils/timestamp.h"
*************** pg_signal_backend(int pid, int sig)
*** 113,121 ****
return SIGNAL_BACKEND_ERROR;
}
! if (!(superuser() || proc->roleId == GetUserId()))
return SIGNAL_BACKEND_NOPERMISSION;
/*
* Can the process we just validated above end, followed by the pid being
* recycled for a new process, before reaching here? Then we'd be trying
--- 114,127 ----
return SIGNAL_BACKEND_ERROR;
}
! /* Only allow superusers to signal superuser-owned backends. */
! if (superuser_arg(proc->roleId) && !superuser())
return SIGNAL_BACKEND_NOPERMISSION;
+ /* Users can signal their own backends (including through membership) */
+ if (!has_privs_of_role(GetUserId(), proc->roleId))
+ return SIGNAL_BACKEND_NOPERMISSION;
+
/*
* Can the process we just validated above end, followed by the pid being
* recycled for a new process, before reaching here? Then we'd be trying
diff --git a/src/backend/utils/adt/pgstatfuncs.c b/src/backend/utils/adt/pgstatfuncs.c
new file mode 100644
index d621a68..3663e93
*** a/src/backend/utils/adt/pgstatfuncs.c
--- b/src/backend/utils/adt/pgstatfuncs.c
***************
*** 20,25 ****
--- 20,26 ----
#include "libpq/ip.h"
#include "miscadmin.h"
#include "pgstat.h"
+ #include "utils/acl.h"
#include "utils/builtins.h"
#include "utils/inet.h"
#include "utils/timestamp.h"
*************** pg_stat_get_activity(PG_FUNCTION_ARGS)
*** 674,681 ****
else
nulls[15] = true;
! /* Values only available to same user or superuser */
! if (superuser() || beentry->st_userid == GetUserId())
{
SockAddr zero_clientaddr;
--- 675,682 ----
else
nulls[15] = true;
! /* Values only available to role member */
! if (has_privs_of_role(GetUserId(), beentry->st_userid))
{
SockAddr zero_clientaddr;
*************** pg_stat_get_backend_activity(PG_FUNCTION
*** 877,883 ****
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
activity = "<backend information not available>";
! else if (!superuser() && beentry->st_userid != GetUserId())
activity = "<insufficient privilege>";
else if (*(beentry->st_activity) == '\0')
activity = "<command string not enabled>";
--- 878,884 ----
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
activity = "<backend information not available>";
! else if (!has_privs_of_role(GetUserId(), beentry->st_userid))
activity = "<insufficient privilege>";
else if (*(beentry->st_activity) == '\0')
activity = "<command string not enabled>";
*************** pg_stat_get_backend_waiting(PG_FUNCTION_
*** 898,904 ****
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
! if (!superuser() && beentry->st_userid != GetUserId())
PG_RETURN_NULL();
result = beentry->st_waiting;
--- 899,905 ----
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
! if (!has_privs_of_role(GetUserId(), beentry->st_userid))
PG_RETURN_NULL();
result = beentry->st_waiting;
*************** pg_stat_get_backend_activity_start(PG_FU
*** 917,923 ****
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
! if (!superuser() && beentry->st_userid != GetUserId())
PG_RETURN_NULL();
result = beentry->st_activity_start_timestamp;
--- 918,924 ----
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
! if (!has_privs_of_role(GetUserId(), beentry->st_userid))
PG_RETURN_NULL();
result = beentry->st_activity_start_timestamp;
*************** pg_stat_get_backend_xact_start(PG_FUNCTI
*** 943,949 ****
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
! if (!superuser() && beentry->st_userid != GetUserId())
PG_RETURN_NULL();
result = beentry->st_xact_start_timestamp;
--- 944,950 ----
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
! if (!has_privs_of_role(GetUserId(), beentry->st_userid))
PG_RETURN_NULL();
result = beentry->st_xact_start_timestamp;
*************** pg_stat_get_backend_start(PG_FUNCTION_AR
*** 965,971 ****
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
! if (!superuser() && beentry->st_userid != GetUserId())
PG_RETURN_NULL();
result = beentry->st_proc_start_timestamp;
--- 966,972 ----
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
! if (!has_privs_of_role(GetUserId(), beentry->st_userid))
PG_RETURN_NULL();
result = beentry->st_proc_start_timestamp;
*************** pg_stat_get_backend_client_addr(PG_FUNCT
*** 989,995 ****
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
! if (!superuser() && beentry->st_userid != GetUserId())
PG_RETURN_NULL();
/* A zeroed client addr means we don't know */
--- 990,996 ----
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
! if (!has_privs_of_role(GetUserId(), beentry->st_userid))
PG_RETURN_NULL();
/* A zeroed client addr means we don't know */
*************** pg_stat_get_backend_client_port(PG_FUNCT
*** 1036,1042 ****
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
! if (!superuser() && beentry->st_userid != GetUserId())
PG_RETURN_NULL();
/* A zeroed client addr means we don't know */
--- 1037,1043 ----
if ((beentry = pgstat_fetch_stat_beentry(beid)) == NULL)
PG_RETURN_NULL();
! if (!has_privs_of_role(GetUserId(), beentry->st_userid))
PG_RETURN_NULL();
/* A zeroed client addr means we don't know */
signature.asc
Description: Digital signature
