| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andres Freund <andres(at)anarazel(dot)de> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: What's the point of allow_system_table_mods? |
| Date: | 2019-05-09 16:22:39 |
| Message-ID: | 24657.1557418959@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Andres Freund <andres(at)anarazel(dot)de> writes:
> I'm not quite clear what the goal of allow_system_table_mods
> is. Obviously, it's extremely dangerous to target catalogs with DDL. But
> at the same time we allow DML to catalog tables without any sort of
> restriction.
The last is not true, see pg_class_aclmask().
> I also don't understand what's achieved by having
> allow_system_table_mods be PGC_POSTMASTER.
True. Possibly there was some confusion with ignore_system_indexes,
which probably *should* be PGC_POSTMASTER: if you think the system
indexes are corrupt then they're corrupt for everybody.
> Wouldn't it be more sensible to disallow all catalog modifications
> unless allow_system_table_mods was enabled, and make
> allow_system_table_mods PGC_SUSET and GUC_DISALLOW_IN_FILE?
I'm on board with the second part of that but not the first.
DDL on the system catalogs is significantly more dangerous
than DML, so I think that having an extra layer of protection
for it is a good idea.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2019-05-09 16:44:20 | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
| Previous Message | Andres Freund | 2019-05-09 14:50:54 | What's the point of allow_system_table_mods? |