From: Magnus Hagander Date: Sun, 15 Jan 2012 14:34:40 +0000 (+0100) Subject: Allow a user to kill his own queries using pg_cancel_backend() X-Git-Tag: REL9_2_BETA1~582 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0495aaad8b337642830a4d4e82f8b8c02b27b1be;p=postgresql Allow a user to kill his own queries using pg_cancel_backend() Allows a user to use pg_cancel_queries() to cancel queries in other backends if they are running under the same role. pg_terminate_backend() still requires superuser permissoins. Short patch, many authors working on the bikeshed: Magnus Hagander, Josh Kupershmidt, Edward Muller, Greg Smith. --- diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml index 2e06346584..7d7aba7aee 100644 --- a/doc/src/sgml/func.sgml +++ b/doc/src/sgml/func.sgml @@ -14262,8 +14262,8 @@ SELECT set_config('log_statement_stats', 'off', false); The functions shown in send control signals to - other server processes. Use of these functions is restricted - to superusers. + other server processes. Use of these functions is usually restricted + to superusers, with noted exceptions. @@ -14280,7 +14280,10 @@ SELECT set_config('log_statement_stats', 'off', false); pg_cancel_backend(pid int)boolean - Cancel a backend's current query + Cancel a backend's current query. You can execute this against + another backend that has exactly the same role as the user calling the + function. In all other cases, you must be a superuser. + @@ -14322,6 +14325,10 @@ SELECT set_config('log_statement_stats', 'off', false); postgres processes on the server (using ps on Unix or the Task Manager on Windows). + For the less restrictive pg_cancel_backend, the role of an + active backend can be found from + the usename column of the + pg_stat_activity view. diff --git a/src/backend/utils/adt/misc.c b/src/backend/utils/adt/misc.c index 9715bdd8ac..3de6a5c992 100644 --- a/src/backend/utils/adt/misc.c +++ b/src/backend/utils/adt/misc.c @@ -30,6 +30,7 @@ #include "postmaster/syslogger.h" #include "storage/fd.h" #include "storage/pmsignal.h" +#include "storage/proc.h" #include "storage/procarray.h" #include "tcop/tcopprot.h" #include "utils/builtins.h" @@ -70,15 +71,42 @@ current_query(PG_FUNCTION_ARGS) } /* - * Functions to send signals to other backends. + * Send a signal to another backend. + * The signal is delivered if the user is either a superuser or the same + * role as the backend being signaled. For "dangerous" signals, an explicit + * check for superuser needs to be done prior to calling this function. + * + * Returns 0 on success, 1 on general failure, and 2 on permission error. + * In the event of a general failure (returncode 1), a warning message will + * be emitted. For permission errors, doing that is the responsibility of + * the caller. */ -static bool +#define SIGNAL_BACKEND_SUCCESS 0 +#define SIGNAL_BACKEND_ERROR 1 +#define SIGNAL_BACKEND_NOPERMISSION 2 +static int pg_signal_backend(int pid, int sig) { + PGPROC *proc; + if (!superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - (errmsg("must be superuser to signal other server processes")))); + { + /* + * Since the user is not superuser, check for matching roles. Trust + * that BackendPidGetProc will return NULL if the pid isn't valid, + * even though the check for whether it's a backend process is below. + * The IsBackendPid check can't be relied on as definitive even if it + * was first. The process might end between successive checks + * regardless of their order. There's no way to acquire a lock on an + * arbitrary process to prevent that. But since so far all the callers + * of this mechanism involve some request for ending the process + * anyway, that it might end on its own first is not a problem. + */ + proc = BackendPidGetProc(pid); + + if (proc == NULL || proc->roleId != GetUserId()) + return SIGNAL_BACKEND_NOPERMISSION; + } if (!IsBackendPid(pid)) { @@ -88,9 +116,18 @@ pg_signal_backend(int pid, int sig) */ ereport(WARNING, (errmsg("PID %d is not a PostgreSQL server process", pid))); - return false; + return SIGNAL_BACKEND_ERROR; } + /* + * Can the process we just validated above end, followed by the pid being + * recycled for a new process, before reaching here? Then we'd be trying + * to kill the wrong thing. Seems near impossible when sequential pid + * assignment and wraparound is used. Perhaps it could happen on a system + * where pid re-use is randomized. That race condition possibility seems + * too unlikely to worry about. + */ + /* If we have setsid(), signal the backend's whole process group */ #ifdef HAVE_SETSID if (kill(-pid, sig)) @@ -101,23 +138,46 @@ pg_signal_backend(int pid, int sig) /* Again, just a warning to allow loops */ ereport(WARNING, (errmsg("could not send signal to process %d: %m", pid))); - return false; + return SIGNAL_BACKEND_ERROR; } - return true; + return SIGNAL_BACKEND_SUCCESS; } +/* + * Signal to cancel a backend process. This is allowed if you are superuser or + * have the same role as the process being canceled. + */ Datum pg_cancel_backend(PG_FUNCTION_ARGS) { - PG_RETURN_BOOL(pg_signal_backend(PG_GETARG_INT32(0), SIGINT)); + int r = pg_signal_backend(PG_GETARG_INT32(0), SIGINT); + + if (r == SIGNAL_BACKEND_NOPERMISSION) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + (errmsg("must be superuser or have the same role to cancel queries running in other server processes")))); + + PG_RETURN_BOOL(r == SIGNAL_BACKEND_SUCCESS); } +/* + * Signal to terminate a backend process. Only allowed by superuser. + */ Datum pg_terminate_backend(PG_FUNCTION_ARGS) { - PG_RETURN_BOOL(pg_signal_backend(PG_GETARG_INT32(0), SIGTERM)); + if (!superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("must be superuser to terminate other server processes"), + errhint("You can cancel your own processes with pg_cancel_backend()."))); + + PG_RETURN_BOOL(pg_signal_backend(PG_GETARG_INT32(0), SIGTERM) == SIGNAL_BACKEND_SUCCESS); } +/* + * Signal to reload the database configuration + */ Datum pg_reload_conf(PG_FUNCTION_ARGS) {