Re: What's the point of allow_system_table_mods?

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Andres Freund <andres(at)anarazel(dot)de>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: What's the point of allow_system_table_mods?
Date: 2019-05-09 16:22:39
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

Andres Freund <andres(at)anarazel(dot)de> writes:
> I'm not quite clear what the goal of allow_system_table_mods
> is. Obviously, it's extremely dangerous to target catalogs with DDL. But
> at the same time we allow DML to catalog tables without any sort of
> restriction.

The last is not true, see pg_class_aclmask().

> I also don't understand what's achieved by having
> allow_system_table_mods be PGC_POSTMASTER.

True. Possibly there was some confusion with ignore_system_indexes,
which probably *should* be PGC_POSTMASTER: if you think the system
indexes are corrupt then they're corrupt for everybody.

> Wouldn't it be more sensible to disallow all catalog modifications
> unless allow_system_table_mods was enabled, and make
> allow_system_table_mods PGC_SUSET and GUC_DISALLOW_IN_FILE?

I'm on board with the second part of that but not the first.
DDL on the system catalogs is significantly more dangerous
than DML, so I think that having an extra layer of protection
for it is a good idea.

regards, tom lane

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2019-05-09 16:44:20 Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS)
Previous Message Andres Freund 2019-05-09 14:50:54 What's the point of allow_system_table_mods?