ivan <iv@psycho.pl> writes:
> why when i revoke all on scheme pg_catalog from all (with public)
> i can make select from pg_ tables and views as ordinary user ??
Hm. pg_catalog is forcibly placed into the search path, thus bypassing
the normal check on whether you have USAGE privilege on it. I suppose
that could be claimed to be a bug ... but in point of fact, honoring
denial of USAGE on pg_catalog would mean that the system would fail to
function at all. So I cannot see any actual usefulness in doing such a
thing. You might as well just delete the user entirely as forbid him
access to pg_catalog.
> and how disallow : LISTEN , SET , RESET , and SHOW ?
Explain why we should?
regards, tom lane