Participants
Antonin Houska
Antonin Houska
Daniel Gustafsson
Daniel Gustafsson
Tom Lane
Tom Lane
Attachments
Download Latest Patchset
+1-1
Show all attachments
Thread Outline
#1Antonin HouskaAntonin Houska
Oct 18, 2024
#2Daniel GustafssonDaniel Gustafssonto Antonin Houska (#1)
Oct 18, 2024
#3Tom LaneTom Laneto Daniel Gustafsson (#2)
Oct 18, 2024

Incorrect comment on pg_shadow view

Started by Antonin Houskaover 1 year ago3 messageshackers
Jump to latest
#1Antonin Houska
Antonin Houska
ah@cybertec.at

Attached is a proposal to fix a comment in pg_authid.h. pg_shadow is not (and
obviously should not be) accessible by public:

postgres=# SELECT relname, relacl FROM pg_class WHERE relname IN ('pg_shadow', 'pg_group');
relname | relacl
-----------+------------------------------------------
pg_shadow | {postgres=arwdDxtm/postgres}
pg_group | {postgres=arwdDxtm/postgres,=r/postgres}
(2 rows)

--
Antonin Houska
Web: https://www.cybertec-postgresql.com

Attachments:

pg_authid_comment.difftext/x-diffDownload+1-1
#2Daniel Gustafsson
Daniel Gustafsson
daniel@yesql.se
In reply to: Antonin Houska (#1)
Re: Incorrect comment on pg_shadow view

On 18 Oct 2024, at 13:50, Antonin Houska <ah@cybertec.at> wrote:

Attached is a proposal to fix a comment in pg_authid.h. pg_shadow is not (and
obviously should not be) accessible by public:

- *	  pg_shadow and pg_group are now publicly accessible views on pg_authid.
+ *	  pg_shadow and pg_group are now views on pg_authid.

I'm no native speaker but I don't interpret "publicly accessible" as readable
by the public role, rather that they are accessible via a user interface (in
this case SQL).

--
Daniel Gustafsson

#3Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Daniel Gustafsson (#2)
Re: Incorrect comment on pg_shadow view

Daniel Gustafsson <daniel@yesql.se> writes:

On 18 Oct 2024, at 13:50, Antonin Houska <ah@cybertec.at> wrote:
Attached is a proposal to fix a comment in pg_authid.h. pg_shadow is not (and
obviously should not be) accessible by public:

- *	  pg_shadow and pg_group are now publicly accessible views on pg_authid.
+ *	  pg_shadow and pg_group are now views on pg_authid.

I'm no native speaker but I don't interpret "publicly accessible" as readable
by the public role, rather that they are accessible via a user interface (in
this case SQL).

I think Antonin is right. pg_authid is just as accessible from SQL as
these views are. Also note the phrasing in the SGML documentation of
pg_shadow [1]https://www.postgresql.org/docs/devel/view-pg-shadow.html:

The name stems from the fact that this table should not be
readable by the public since it contains passwords. pg_user is a
publicly readable view on pg_shadow that blanks out the password
field.

regards, tom lane

[1]: https://www.postgresql.org/docs/devel/view-pg-shadow.html

← Back to Topics