| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Basha <Basha(at)maxcontact(dot)com> |
| Cc: | Christophe Pettus <xof(at)thebuild(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, PostgreSQL Bug List <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: [EXT]: Re: BUG #18604: Regression in PostgreSQL 16.4: pg_dump Prevents Essential System Table Modifications |
| Date: | 2024-09-07 18:21:33 |
| Message-ID: | 2522013.1725733293@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Basha <Basha(at)maxcontact(dot)com> writes:
> The fix in PG16.4, entirely prevents changes to pg_database, Is
> there any possibility of a more targeted approach.
If we allow pg_database to be replaced by a view, we have the same
hazard that the security patch means to fix: namely that the view
might be hostile, or even just that it might innocently lie to us
resulting in incorrect pg_dump output. I'm uninterested in poking
a hole in that security defense.
I don't think we've ended the discussion on whether to remove the
check that's preventing using RLS instead. But even if we choose
to do that, you're still depending on something that's not
supported and might break again in future. To be absolutely
clear: *nothing* you might use allow_system_table_mods to do
is considered supported for production purposes, and we will not
apologize for breaking it.
You really ought to think about how badly do you need to hide the
existence of other databases. It seems like a mighty low-priority
requirement from here, especially if you can't also hide the existence
of other roles.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Previous Message | Christophe Pettus | 2024-09-07 17:29:14 | Re: [EXT]: Re: BUG #18604: Regression in PostgreSQL 16.4: pg_dump Prevents Essential System Table Modifications |