| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Gurjeet Singh <singh(dot)gurjeet(at)gmail(dot)com>, PGSQL Bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: superuser unable to modify settings of a system table |
| Date: | 2010-06-04 20:53:36 |
| Message-ID: | 23387.1275684816@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> Personally, I think it would be better to put some work into making
> allow_system_table_mods a little less simple-minded. Right now,
> !allow_system_table_mods prohibits you from doing perfectly sensible
> things (as in the OP's original example) yet still allows you to do
> things that are totally nuts (like DELETE FROM pg_class, which causes
> every subsequent connection attempt for that database to panic).
> Perfection may be too much to ask for but I'd take "modest
> improvement"...
Nope, that is the wrong viewpoint entirely. allow_system_table_mods
is intended to prevent you from modifying the *structure* of the
system catalogs, which is fairly critical because the backend C code
tends to depend on that. Modifying the *content* of the catalogs
is another matter, and in fact we let any superuser do that without
having set allow_system_table_mods. There is no practical way to
distinguish a benign catalog-content change from a disastrous one,
so we don't try.
It's possible that reloptions is a special case and we should treat it
as being more nearly in the content than structure category. Not sure.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2010-06-04 20:59:02 | Re: BUG #5488: pg_dump does not quote column names -> pg_restore may fail when upgrading |
| Previous Message | Bernd Helmle | 2010-06-04 20:50:51 | Re: BUG #5488: pg_dump does not quote column names -> pg_restore may fail when upgrading |