Re: Another user complaint regarding visibility of pg_catalog data - Mailing list pgsql-docs

From Laurenz Albe
Subject Re: Another user complaint regarding visibility of pg_catalog data
Date
Msg-id d9d5b22443716abe461ce1b52330ef4139fd3e2d.camel@cybertec.at
Whole thread Raw
In response to Another user complaint regarding visibility of pg_catalog data  ("David G. Johnston" <david.g.johnston@gmail.com>)
Responses Re: Another user complaint regarding visibility of pg_catalog data
List pgsql-docs
On Tue, 2023-11-07 at 12:28 -0700, David G. Johnston wrote:
> This comes up every so often (including today on Discord) and I keep having trouble
> figuring out where to point people for our official assertion and explanation
> for why anyone with a login can view routine bodies, view specifications, and comments.
>
> Is this something we just don't want to go into detail within our documentation,
> or just no one has cared enough to write something up (beyond my first draft back
> then) and form it into a patch?

I am not sure if we can and want to document the "why" (this does not really belong
into the technical documentation), but the fact that most catalog tables can be read
by PUBLIC is worth documenting.

Perhaps here: https://www.postgresql.org/docs/current/catalogs.html

When people ask my "why?", I tend to answer "why not?".  It is not a security
problem, in my opinion.  Every user is allowed to know that I have a table
"purchase" with a column "credit_card_nr".  As long as the permissions are set
correctly, that is no problem.  Any attempt to hide that information is at best
"security by obscurity".

Yours,
Laurenz Albe



pgsql-docs by date:

Previous
From: "David G. Johnston"
Date:
Subject: Re: Another user complaint regarding visibility of pg_catalog data
Next
From: PG Doc comments form
Date:
Subject: CREATE SUBSCRIPTION issue