On Mon, Mar 16, 2026 at 10:01:22PM +0100, Andrei Lepikhov wrote:
> > Additionally, I believe this is the key point. Setting read-only at the
> > connection level alleviates any concern about an AI agent exploiting
> > misconfigured permissions to escalate its privileges (e.g. `select
> > unset_cluster_readonly(); drop table users;`).
> >
> > > Also, which commands do you want to restrict? For instance, vacuum
> > > isn't a DML command, but it can still change the state of table
> > > pages and pg_catalog.
>
> This functionality is now out of the Postgres core logic. It is not hard to
> add to the extension, though, let's say as a string GUC, where you may add
> any utility command you want to reject in read-only mode. So, depends on
> specific cases.
>
...
> > That said, once you start thinking about the precise scope of what
> > should be allowed or disallowed, the design space becomes quite large.
> > It may be worth clarifying the intended guarantees of such a feature
> > before discussing implementation details.
>
> Right now as an extension pg_readonly guarantees standard core XactReadOnly
> behaviour.
>
> >
> > I do think the underlying problem of safely exposing databases to
> > automated agents is becoming increasingly common, so it seems like a
> > useful area to explore.
I agree the need a read-only sessions is going to get more urgent with
MCP. Why doesn't the community code have a read-only session option
that can't be changed?
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Do not let urgent matters crowd out time for investment in the future.
