From 8635d73e2f2297820751e725c0c8a01e507cf951 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Tue, 27 Aug 2019 18:03:09 -0400 Subject: [PATCH] Doc: improve documentation of pg_signal_backend default role. Give it an explanatory para like the other default roles have. Don't imply that it can send any signal whatever. In passing, reorder the table entries and explanatory paras for the default roles into some semblance of consistency. Ian Barwick, tweaked a bit by me. Discussion: https://postgr.es/m/89907e32-76f3-7282-a89c-ea19c722fe5d@2ndquadrant.com --- doc/src/sgml/user-manag.sgml | 49 +++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 20 deletions(-) diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml index 6106244d32..66f162703d 100644 --- a/doc/src/sgml/user-manag.sgml +++ b/doc/src/sgml/user-manag.sgml @@ -530,9 +530,16 @@ DROP ROLE doomed_role; Execute monitoring functions that may take ACCESS SHARE locks on tables, potentially for a long time. + + pg_monitor + Read/execute various monitoring views and functions. + This role is a member of pg_read_all_settings, + pg_read_all_stats and + pg_stat_scan_tables. + pg_signal_backend - Send signals to other backends (eg: cancel query, terminate). + Signal another backend to cancel a query or terminate its session. pg_read_server_files @@ -549,27 +556,10 @@ DROP ROLE doomed_role; Allow executing programs on the database server as the user the database runs as with COPY and other functions which allow executing a server-side program. - - pg_monitor - Read/execute various monitoring views and functions. - This role is a member of pg_read_all_settings, - pg_read_all_stats and - pg_stat_scan_tables. - - - The pg_read_server_files, pg_write_server_files and - pg_execute_server_program roles are intended to allow administrators to have - trusted, but non-superuser, roles which are able to access files and run programs on the - database server as the user the database runs as. As these roles are able to access any file on - the server file system, they bypass all database-level permission checks when accessing files - directly and they could be used to gain superuser-level access, therefore care should be taken - when granting these roles to users. - - The pg_monitor, pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables @@ -579,6 +569,25 @@ DROP ROLE doomed_role; other system information normally restricted to superusers. + + The pg_signal_backend role is intended to allow + administrators to enable trusted, but non-superuser, roles to send signals + to other backends. Currently this role enables sending of signals for + canceling a query on another backend or terminating its session. A user + granted this role cannot however send signals to a backend owned by a + superuser. See . + + + + The pg_read_server_files, pg_write_server_files and + pg_execute_server_program roles are intended to allow administrators to have + trusted, but non-superuser, roles which are able to access files and run programs on the + database server as the user the database runs as. As these roles are able to access any file on + the server file system, they bypass all database-level permission checks when accessing files + directly and they could be used to gain superuser-level access, therefore + great care should be taken when granting these roles to users. + + Care should be taken when granting these roles to ensure they are only used where needed and with the understanding that these roles grant access to privileged @@ -586,8 +595,8 @@ DROP ROLE doomed_role; - Administrators can grant access to these roles to users using the GRANT - command: + Administrators can grant access to these roles to users using the + command, for example: GRANT pg_signal_backend TO admin_user;