Re: BUG #15182: Canceling authentication due to timeout aka Denial of Service Attack
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Jeremy Schneider <schnjere@amazon.com>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>, "Albin,
Lloyd P" <lalbin@scharp.org>
Date: 2018-07-23T15:29:33Z
Lists: pgsql-bugs, pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Improve VACUUM and ANALYZE by avoiding early lock queue
- a556549d7e6d 12.0 landed
-
Improve TRUNCATE by avoiding early lock queue
- f841ceb26d70 12.0 landed
-
Restrict access to reindex of shared catalogs for non-privileged users
- 87330e21c327 11.0 landed
- 661dd23950f2 12.0 landed
-
Improve behavior of concurrent CLUSTER.
- cbe24a6dd8fb 9.2.0 cited
On Thu, Jul 19, 2018 at 7:17 PM, Jeremy Schneider <schnjere@amazon.com> wrote: > I'd like to bump this old bug that Lloyd filed for more discussion. It > seems serious enough to me that we should at least talk about it. > > Anyone with simply the login privilege and the ability to run SQL can > instantly block all new incoming connections to a DB including new > superuser connections. > > session 1: > select pg_sleep(9999999999) from pg_stat_activity; > > session 2: > vacuum full pg_authid; -or- truncate table pg_authid; > > (there are likely other SQL you could run in session 2 as well.) ExecuteTruncate needs to be refactored to use RangeVarGetRelidExtended with a non-NULL callback rather than heap_openrv, and expand_vacuum_rel needs to use RangeVarGetRelidExtended with a callback instead of RangeVarGetRelid. See cbe24a6dd8fb224b9585f25b882d5ffdb55a0ba5 as an example of what to do. I fixed a large number of cases of this problem back around that time, but then ran out of steam and had to move onto other things before I got them all. Patches welcome. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company