From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Andres Freund <andres(at)anarazel(dot)de> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: What's the point of allow_system_table_mods? |
Date: | 2019-05-09 16:22:39 |
Message-ID: | 24657.1557418959@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Andres Freund <andres(at)anarazel(dot)de> writes:
> I'm not quite clear what the goal of allow_system_table_mods
> is. Obviously, it's extremely dangerous to target catalogs with DDL. But
> at the same time we allow DML to catalog tables without any sort of
> restriction.
The last is not true, see pg_class_aclmask().
> I also don't understand what's achieved by having
> allow_system_table_mods be PGC_POSTMASTER.
True. Possibly there was some confusion with ignore_system_indexes,
which probably *should* be PGC_POSTMASTER: if you think the system
indexes are corrupt then they're corrupt for everybody.
> Wouldn't it be more sensible to disallow all catalog modifications
> unless allow_system_table_mods was enabled, and make
> allow_system_table_mods PGC_SUSET and GUC_DISALLOW_IN_FILE?
I'm on board with the second part of that but not the first.
DDL on the system catalogs is significantly more dangerous
than DML, so I think that having an extra layer of protection
for it is a good idea.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2019-05-09 16:44:20 | Re: [Proposal] Table-level Transparent Data Encryption (TDE) and Key Management Service (KMS) |
Previous Message | Andres Freund | 2019-05-09 14:50:54 | What's the point of allow_system_table_mods? |