Thread
-
Re: Function to kill backend
Josh Berkus <josh@agliodbs.com> — 2004-04-04T01:09:35Z
Tom, > > Seems like useful functionality. Right now, how does an administrator > > kill another backend from psql? They can't. > > The question to ask is "should they be able to?" And the answer is, "Yes". This is a commonly requested feature by DBA's migrating from SQL Server and Oracle. In those databases, there is a GUI to monitor database requests, and potentially kill them to resolve deadlocks or runaway queries (though, in the case of SQL server, it does not work). Right now, it is very difficult for any of our GUI projects to construct such an interface due to the necessity of root shell access. > I think any such facility is inherently a security risk, since it means > that a remote attacker who's managed to break into your superuser > account can randomly zap other backends. Now admittedly there's plenty > of other mischief he can do with superuser privs, but that doesn't mean > we should hand him a pre-loaded, pre-sighted cannon. And requiring DBAs to use root shell access whenever they want to stop a runaway query is somehow a good security approach? If nothing else, it exposes lots of DBAs to the temptation to use SIGKILL instead off SIGINT or SIGTERM, making the database shut down. And I, personally, worry about the number of root shells I have to use, becuase every once in a while I forget and leave one open at the end of the day. Killing backends with runaway queries is a routine administrative task. It should be possible to accomplish it remotely, using tools provided by PostgreSQL instead of the command shell, because then it is possible for us to limit what those tools can do. Further, if an intruder has superuser access, having them kill random backends is the last thing I'm worried about. "DROP DATABASE" ranks a lot higher. In fact, it would be nice if they started killing random backends because then I'd know something was wrong. -- -Josh Berkus Aglio Database Solutions San Francisco
-
Re: Function to kill backend
Christopher Kings-Lynne <chriskl@familyhealth.com.au> — 2004-04-04T02:56:39Z
> This is a commonly requested feature by DBA's migrating from SQL Server and > Oracle. In those databases, there is a GUI to monitor database requests, > and potentially kill them to resolve deadlocks or runaway queries (though, in > the case of SQL server, it does not work). Right now, it is very difficult > for any of our GUI projects to construct such an interface due to the > necessity of root shell access. Yes, MySQL can do it too. http://www.mysql.com/doc/en/KILL.html I would love to have a KILL <pid> command in postgres. I don't know how you would restrict it to only being able to kill postgres backends though. Chris
-
Re: Function to kill backend
Tom Lane <tgl@sss.pgh.pa.us> — 2004-04-04T04:38:44Z
Josh Berkus <josh@agliodbs.com> writes: > Killing backends with runaway queries is a routine administrative > task. Cancelling runaway queries is a routine task. I'm less convinced that a remote kill (ie SIGTERM) facility is such a great idea. regards, tom lane
-
Re: Function to kill backend
Mike Mascari <mascarm@mascari.com> — 2004-04-04T06:04:32Z
Tom Lane wrote: > Josh Berkus <josh@agliodbs.com> writes: > >>Killing backends with runaway queries is a routine administrative >>task. > > > Cancelling runaway queries is a routine task. I'm less convinced that a > remote kill (ie SIGTERM) facility is such a great idea. Of course, cancelling runaway queries on Oracle is only a necessity if the DBA hasn't made use of resource limits - PROFILEs. ;-) Mike Mascari