| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Gurjeet Singh <singh(dot)gurjeet(at)gmail(dot)com>, PGSQL Bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: superuser unable to modify settings of a system table |
| Date: | 2010-06-04 21:04:41 |
| Message-ID: | AANLkTimfyESGnAgvsLZVgPXnWT8-YcDMQzBVsrmW9QzP@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Fri, Jun 4, 2010 at 4:53 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>> Personally, I think it would be better to put some work into making
>> allow_system_table_mods a little less simple-minded. Right now,
>> !allow_system_table_mods prohibits you from doing perfectly sensible
>> things (as in the OP's original example) yet still allows you to do
>> things that are totally nuts (like DELETE FROM pg_class, which causes
>> every subsequent connection attempt for that database to panic).
>> Perfection may be too much to ask for but I'd take "modest
>> improvement"...
>
> Nope, that is the wrong viewpoint entirely. allow_system_table_mods
> is intended to prevent you from modifying the *structure* of the
> system catalogs, which is fairly critical because the backend C code
> tends to depend on that. Modifying the *content* of the catalogs
> is another matter, and in fact we let any superuser do that without
> having set allow_system_table_mods. There is no practical way to
> distinguish a benign catalog-content change from a disastrous one,
> so we don't try.
>
> It's possible that reloptions is a special case and we should treat it
> as being more nearly in the content than structure category. Not sure.
The backend C code also depends on the critical system indexes being
present in the system catalogs, yet we still allow them to be deleted.
Is there really a use case for users fiddling with pg_proc, pg_class,
etc. directly?
At any rate, I'd be happy to drop that part of the proposal. It would
be a step forward just to permit (even without
allow_system_table_mods) those changes which don't alter the structure
of the catalog. For ALTER TABLE, the SET STATISTICS, (RE)SET
(attribute_option), SET STORAGE, CLUSTER ON, SET WITHOUT CLUSTER, and
(RE)SET (reloptions) forms are all things that fall into this
category, I believe.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise Postgres Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2010-06-04 21:13:34 | Re: superuser unable to modify settings of a system table |
| Previous Message | Farid Zidan | 2010-06-04 21:04:06 | Re: BUG #5490: Using distinct for select list causes insert of timestamp string literal to fail |