Re: allow_system_table_mods stuff - Mailing list pgsql-hackers
| From | Andres Freund |
|---|---|
| Subject | Re: allow_system_table_mods stuff |
| Date | |
| Msg-id | 20190621173445.42shsd6o34qk65wt@alap3.anarazel.de Whole thread Raw |
| In response to | Re: allow_system_table_mods stuff (Tom Lane <tgl@sss.pgh.pa.us>) |
| Responses |
Re: allow_system_table_mods stuff
|
| List | pgsql-hackers |
Hi, On 2019-06-21 12:28:43 -0400, Tom Lane wrote: > Robert Haas <robertmhaas@gmail.com> writes: > > I kinda feel like we should prohibit DML on system catalogs, even by > > superusers, unless you press the big red button that says "I am > > definitely sure that I know what I'm doing." > > Keep in mind that DML-on-system-catalogs is unfortunately a really > standard hack in extension upgrade scripts. (If memory serves, > some of our contrib scripts do that, and we've certainly told third > parties that it's the only way out of some box or other.) I don't > think we can just shut it off. What you seem to be proposing is to > allow it only after > > SET allow_system_table_mods = on; > > which would be all right except that an extension script containing > such a command will fail outright in existing releases. I think we > need to be friendlier than that to extension authors who are, for the > most part, trying to work around some deficiency of ours not theirs. I'm not quite convinced we need to go very far with compatibility here - pretty much by definition scripts that do this are tied a lot more to the internals than ones using DDL. But if we want to, we could just - for now at least - set allow_system_table_mods to a new 'warn' - when processing extension scripts as superusers. > > A related issue is that alter_system_table_mods prohibits both stuff > > that's probably not going to cause any big problem and stuff that is > > almost guaranteed to make the system permanently unusable - e.g. you > > could 'SET STORAGE' on a system catalog column, which is really pretty > > innocuous, or you could change the oid column of pg_database to a > > varlena type, which is guaranteed to destroy the universe. Here > > again, maybe some operations should be more protected than others, or > > maybe the relatively safe things just shouldn't be subject to > > allow_system_table_mods at all. > > Meh. It doesn't really seem to me that distinguishing these cases > is a productive use of code space or maintenance effort. Superusers > are assumed to know what they're doing, and most especially so if > they've hit the big red button. I really don't buy this. You need superuser for nearly all CREATE EXTENSION invocations, and for a lot of other routine tasks. Making the non-routine crazy stuff slightly harder is worthwhile. I don't think we can really separate those two into fully separate roles unfortunately, because the routine CREATE EXTENSION stuff obviously can be used to elevate privs. Greetings, Andres Freund
pgsql-hackers by date: