Re: erroneous restore into pg_catalog schema

On Mon, Jan 14, 2013 at 2:07 PM, Alvaro Herrera
<alvherre(at)2ndquadrant(dot)com> wrote:
> Tom Lane escribió:
>> Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> writes:
>
>> > alvherre=# create extension adminpack;
>> > ERROR: permission denied for schema pg_catalog
>>
>> Um. I knew that that module's desire to shove stuff into pg_catalog
>> would bite us someday. But now that I think about it, I'm pretty sure
>> I recall discussions to the effect that there are other third-party
>> modules doing similar things.
>
> How about we provide a superuser-only function that an extension can
> call which will set enableSystemTableMods? It would get back
> automatically to the default value on transaction end. That way,
> extensions that wish to install stuff in pg_catalog can explicitely
> declare it, i, and the rest of the world enjoys consistent protection.

Or just document the existing GUC and make it something less than
PGC_POSTMASTER, like maybe PGC_SUSER.

But, really, I think allow_system_table_mods paints with too broad a
brush. It allows both things that are relatively OK (like creating a
function in pg_catalog) and things that are rampantly insane (like
dropping a column from pg_proc). It might be a good idea to make
those things controlled by two different switches.

Or perhaps there is some other way to make sure that the user "really
meant it", like refusing to create in pg_catalog unless the schema
name is given explicitly. I kind of like that idea, actually.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company