Participants
Antonin Houska
Antonin Houska
Daniel Gustafsson
Daniel Gustafsson
Tom Lane
Tom Lane
Attachments
Thread Outline
#1Antonin HouskaAntonin Houska
Oct 18, 2024
#2Daniel GustafssonDaniel Gustafssonto Antonin Houska (#1)
Oct 18, 2024
#3Tom LaneTom Laneto Daniel Gustafsson (#2)
Oct 18, 2024

Incorrect comment on pg_shadow view

Started by Antonin Houskaabout 1 year ago3 messages
#1Antonin Houska
Antonin Houska
ah@cybertec.at
1 attachment(s)

Attached is a proposal to fix a comment in pg_authid.h. pg_shadow is not (and
obviously should not be) accessible by public:

postgres=# SELECT relname, relacl FROM pg_class WHERE relname IN ('pg_shadow', 'pg_group');
relname | relacl
-----------+------------------------------------------
pg_shadow | {postgres=arwdDxtm/postgres}
pg_group | {postgres=arwdDxtm/postgres,=r/postgres}
(2 rows)

--
Antonin Houska
Web: https://www.cybertec-postgresql.com

Attachments:

pg_authid_comment.difftext/x-diffDownload
diff --git a/src/include/catalog/pg_authid.h b/src/include/catalog/pg_authid.h
index e846d75731..b0dbdf2dd2 100644
--- a/src/include/catalog/pg_authid.h
+++ b/src/include/catalog/pg_authid.h
@@ -3,7 +3,7 @@
  * pg_authid.h
  *	  definition of the "authorization identifier" system catalog (pg_authid)
  *
- *	  pg_shadow and pg_group are now publicly accessible views on pg_authid.
+ *	  pg_shadow and pg_group are now views on pg_authid.
  *
  *
  * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
#2Daniel Gustafsson
Daniel Gustafsson
daniel@yesql.se
In reply to: Antonin Houska (#1)
Re: Incorrect comment on pg_shadow view

On 18 Oct 2024, at 13:50, Antonin Houska <ah@cybertec.at> wrote:

Attached is a proposal to fix a comment in pg_authid.h. pg_shadow is not (and
obviously should not be) accessible by public:

- *	  pg_shadow and pg_group are now publicly accessible views on pg_authid.
+ *	  pg_shadow and pg_group are now views on pg_authid.

I'm no native speaker but I don't interpret "publicly accessible" as readable
by the public role, rather that they are accessible via a user interface (in
this case SQL).

--
Daniel Gustafsson

#3Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Daniel Gustafsson (#2)
Re: Incorrect comment on pg_shadow view

Daniel Gustafsson <daniel@yesql.se> writes:

On 18 Oct 2024, at 13:50, Antonin Houska <ah@cybertec.at> wrote:
Attached is a proposal to fix a comment in pg_authid.h. pg_shadow is not (and
obviously should not be) accessible by public:

- *	  pg_shadow and pg_group are now publicly accessible views on pg_authid.
+ *	  pg_shadow and pg_group are now views on pg_authid.

I'm no native speaker but I don't interpret "publicly accessible" as readable
by the public role, rather that they are accessible via a user interface (in
this case SQL).

I think Antonin is right. pg_authid is just as accessible from SQL as
these views are. Also note the phrasing in the SGML documentation of
pg_shadow [1]https://www.postgresql.org/docs/devel/view-pg-shadow.html:

The name stems from the fact that this table should not be
readable by the public since it contains passwords. pg_user is a
publicly readable view on pg_shadow that blanks out the password
field.

regards, tom lane

[1]: https://www.postgresql.org/docs/devel/view-pg-shadow.html

← Back to Topics