pg_signal_backend check is too restrictive

[pmpetit]

Hi,

Please note that security bugs or issues should be reported to security@pgadmin.org.

Describe the bug

If you want to kill a session using

then i have this error message

but using a query i can

select pg_terminate_backend(149682)

i think it is because you check that

pgadmin4/web/pgadmin/utils/driver/psycopg3/connection.py

Line 627 in 3898964

CASE WHEN 'pg_signal_backend'=ANY(ARRAY(WITH RECURSIVE cte AS (

the user has been granted with pg_signal_backend.

but in some case, you can kill a session if the user is granted with the connected user using 'with admin option'

for example i can kill if

grant the_user_to_kill to the_user_who_kill with admin option:

To Reproduce

Steps to reproduce the behavior:

1. create 2 users

create user user1 with password user1;
create user user2 with password user2;
grant user2 to user1 with admin option;

create 2 psql sessions one with user 1 an other with user2

2. go to pgadmin console connected as user1 and try to kill session using the red cross => you can't
3. execute the code

select pg_terminate_backend(the pid of user2);

check that you can kill the session.

version is

thanks

[yogeshmahajan-1903]

@pmpetit
Can you please try on latest version 8.3?

[pmpetit]

can't test on 8.3, app does not run as 7.8 did.

Is there any breaking change between 7.8 & 8.3 ?

[pmpetit]

7.8 i use to load my server connection using

/venv/bin/python3 setup.py --load-servers 

[pmpetit]

i can not import user anymore

The specified user ID (pierremarie.petit.partxxxxxxyyyzzzz) could not be found.

in 7.8 I was using
path/to/python /path/to/setup.py --load-servers input_file.json --user user@example.com

But now in 8.3 it seems to have changed
Do you have the equivalent in 8.3 ?

(I use load-servers only , but to set username from authent not from inside db, I don't find
the doc says # or, to specify a non-default user name and auth source (the default)
Thx

[yogeshmahajan-1903]

@pmpetit
Just remove '--' from load-servers. Now load-servers is command instead of switch.(In 8.3)

(Venv3121) % python3 setup.py load-servers ./server.json --user admin@admin.com
----------
Loading servers with:
User: admin@admin.com
SQLite pgAdmin config: <DB Path>pgadmin4.db
----------
Added 0 Server Group(s) and 1 Server(s)

[pmpetit]

ok thanks, now i can test in 8.3

i have the same problem.

[pmpetit]

but i can

[yogeshmahajan-1903]

This is working fine. Verified in 8.4 candidate build.