On Tue, Aug 10, 2021 at 11:30:35AM -0400, Tom Lane wrote:
> Greg Stark <stark@mit.edu> writes:
>> While fixing up a patch I had dealing with temporary tables I noticed
>> a bit of a quirk with pg_temp schemas. Namely that we have no actual
>> meta data marking them as temporary aside from their names. And we
>> don't do anything to protect that -- superuser can happily issue ALTER
>> SCHEMA RENAME to rename it to a name that doesn't match pg_temp*.
The fun does not stop here. Here is one: drop the existing temporary
schema as superuser, keep the connection that dropped it opened, and
play with various temporary objects, even types or functions.
> This seems to me to be not very different from the 1001 other ways that
> a superuser can break a database. If *non* superusers could rename
> those schemas then I'd agree there's a problem to be solved.
If non-superusers could do anything that change what's stored in
pg_namespace and make things inconsistent with the backend-specific
state stored in memory, we are in trouble.
--
Michael
