On Wed, Feb 5, 2020 at 8:27 PM Masahiko Sawada
<masahiko.sawada@2ndquadrant.com> wrote:
> User can create database objects such as functions into pg_catalog.
> But if I'm not missing something, currently there is no
> straightforward way to identify if the object is a user created object
> or a system object which is created during initdb. If we can do that
> user will be able to check if malicious functions are not created in
> the database, which is important from the security perspective.
>
> I've attached PoC patch to introduce a SQL function
> pg_is_user_object() that returns true if the given oid is user object
> oid, that is greater than or equal to FirstNormalObjectId. Feedback is
> very welcome.
+1.
About the implementation, how about defining a static inline function,
say is_user_object(), next to FirstNormalObjectId's definition and
make pg_is_user_object() call it? There are a few placed in the
backend code that perform the same computation as pg_is_user_object(),
which could be changed to use is_user_object() instead.
Thanks,
Amit