Re: debugger from superuser only.... why?
22 сент. 2023 г., в 14:20, Luca Ferrari написал(а): >> Checked few sources, can not seem to find reasoning behind this limit: >> You must have superuser privileges to use the debugger. >> What is the reason? > I suspect the debugger will need to open a connection back to pgadmin, > and that probably is the need for privileges. Not sure. I’ve collected log for supseruser debug session under IntelliJ plugin. Playing this under non-privileged user... some commands pass (below for history) and this one does not: > SELECT * FROM pldbg_set_global_breakpoint(1, 65695, -1, NULL); > ERROR: must be a superuser to create a breakpoint I am wondering why is this, why not allow debugging for non-privileged users? PAF P.S. those that pass are > SELECT setting > FROM pg_settings > WHERE name = 'shared_preload_libraries'; > > SELECT * FROM (SELECT >t_namespace.nspname, >t_extension.extname, >t_extension.extversion >FROM pg_extension t_extension > JOIN pg_namespace t_namespace ON > t_extension.extnamespace = t_namespace.oid)q; > > SELECT * FROM (SELECT pid, > application_name, > usename, > client_addr >FROM pg_stat_activity >WHERE application_name = 'idea_debugger' > AND pid <> pg_backend_pid())q; > SELECT * FROM pldbg_create_listener();
Re: debugger from superuser only.... why?
> 25 сент. 2023 г., в 17:28, Tom Lane написал(а): > Alexander Petrossian writes: >>>> I am wondering why is this, why not allow debugging for non-privileged >>>> users? > Even if there's a way to restrict > debugging connections to sessions owned by the same user, I guess, there is such a way. Looks trivial... > you’d have a big problem with being able to change the behavior of > security-definer functions. Could you please elaborate on this, Tom? My worry is that it is very inconvenient. And if reasons are not super-solid, maybe one can budge the Author? :) > Clearly, the authors of pldebugger > decided that was a can of worms they didn't care to open. Unless one wants to go fishing ;) PAF
Re: debugger from superuser only.... why?
> > > > SELECT * FROM pldbg_set_global_breakpoint(1, 65695, -1, NULL); > > ERROR: must be a superuser to create a breakpoint > > I am wondering why is this, why not allow debugging for non-privileged > users? > > Again, I'm suspecting that this debugger works by performing a > sandboxing and attaching your session back. In order to communicate > back and forth, you probably need such privileges. > You should ask the developers why they need such privileges, or dig > the code by yourself. > Some mail list you would suggest, Luka? > > SELECT * FROM pldbg_create_listener(); > uh oh, it mentions a listener...then there must be some "sender" > somehwere, that probably needs privileges. > Surprisingly this passes OK under non-privileged user. PAF
