How to control pg_catalog results for each users?
Hello,
PostgreSQL provides pg_catalog as a system catalog.
However, PostgreSQL does not allow different users to retrieve different
table structures or table names using pg_catalog.
For example, when SELECT * FROM pg_catalog.pg_tables is executed by
User1 and User2, it is not possible to get different results.
In PostgreSQL, row-level security can be used to control rows in normal
tables.
However, row-level security is not possible to set this for pg_catalog,
and all users can get the all of table name , table structure and other
information from pg_catalog, which is considered a security problem.
(REVOKE to the system catalog is not restricted, REVOKE can control
access to system catalogs on a per-table basis)
Has there been any discussion or development on controlling this system
catalog information on a per-user basis?
Regards,
Shigeo Hirose
On Sunday, January 29, 2023, hirose shigeo(廣瀬 繁雄 □SWC○ACT) <
shigeo.hirose@toshiba.co.jp> wrote:
Has there been any discussion or development on controlling this system
catalog information on a per-user
I found this one:
/messages/by-id/20160107032927.GT3685@tamriel.snowman.net
David J.
"David G. Johnston" <david.g.johnston@gmail.com> writes:
On Sunday, January 29, 2023, hirose shigeo(廣瀬 繁雄 □SWC○ACT) <
shigeo.hirose@toshiba.co.jp> wrote:Has there been any discussion or development on controlling this system
catalog information on a per-user
I found this one:
/messages/by-id/20160107032927.GT3685@tamriel.snowman.net
There have been a ton of discussions around this area over the years.
The short answer is that if you think you need to prevent people
from seeing the contents of the system catalogs, Postgres is not
the database for you. I don't really foresee that changing, because
it would break at least as many use-cases as it would enable. The
thread David referenced only talks about side-effects on pg_dump,
but there are many other applications that would be just as broken
if we restricted this.
regards, tom lane
On Mon, 2023-01-30 at 14:00 +0900, hirose shigeo(廣瀬 繁雄 □SWC○ACT) wrote:
all users can get the all of table name , table structure and other
information from pg_catalog, which is considered a security problem.
The belief that restricting that will improve security goes by the name
of "security by obscurity", which is usually not considered robust.
Yours,
Laurenz Albe
On 1/30/23 02:41, Laurenz Albe wrote:
On Mon, 2023-01-30 at 14:00 +0900, hirose shigeo(廣瀬 繁雄 □SWC○ACT) wrote:
all users can get the all of table name , table structure and other
information from pg_catalog, which is considered a security problem.The belief that restricting that will improve security goes by the name
of "security by obscurity", which is usually not considered robust.
Your description sounds a whole lot like PostgreSQL's row level security.
--
Born in Arizona, moved to Babylonia.
There have been a ton of discussions around this area over the years.
The short answer is that if you think you need to prevent people
from seeing the contents of the system catalogs, Postgres is not
the database for you. I don't really foresee that changing, because
it would break at least as many use-cases as it would enable. The
thread David referenced only talks about side-effects on pg_dump,
but there are many other applications that would be just as broken
if we restricted this.
Thank you for information.
I understood community's concern and policy.
Regards,
Shigeo Hirose