Robert Haas <robertmhaas@gmail.com> writes:
> Personally, I think it would be better to put some work into making
> allow_system_table_mods a little less simple-minded. Right now,
> !allow_system_table_mods prohibits you from doing perfectly sensible
> things (as in the OP's original example) yet still allows you to do
> things that are totally nuts (like DELETE FROM pg_class, which causes
> every subsequent connection attempt for that database to panic).
> Perfection may be too much to ask for but I'd take "modest
> improvement"...
Nope, that is the wrong viewpoint entirely. allow_system_table_mods
is intended to prevent you from modifying the *structure* of the
system catalogs, which is fairly critical because the backend C code
tends to depend on that. Modifying the *content* of the catalogs
is another matter, and in fact we let any superuser do that without
having set allow_system_table_mods. There is no practical way to
distinguish a benign catalog-content change from a disastrous one,
so we don't try.
It's possible that reloptions is a special case and we should treat it
as being more nearly in the content than structure category. Not sure.
regards, tom lane
