Thread: DELETE FROM pg_class
Hello, I see that I can modify system tables even though I have not set allow_system_table_mods... Is this a feature or a bug? Self contained code postgres=# SELECT version(); version --------------------------------------------------------------------------------------------------------------- PostgreSQL 8.2.4 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.1.3 20070718 (prerelease) (Debian 4.1.2-14) (1 row) postgres=# SHOW allow_system_table_mods; allow_system_table_mods ------------------------- off (1 row) postgres=# CREATE DATABASE foo; CREATE DATABASE postgres=# \c foo You are now connected to database "foo". foo=# DELETE FROM pg_class; DELETE 204 foo=# SELECT count(*) FROM pg_class; ERROR: could not find pg_class tuple for index 2662 foo=# \c postgres You are now connected to database "postgres". postgres=# \c foo server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. Previous connection kept postgres=# Regards, Dawid
On Mon, 2007-09-24 at 14:44 +0200, Dawid Kuroczko wrote: > Hello, I see that I can modify system tables even though I have > not set allow_system_table_mods... Is this a feature or a bug? allow_system_table_mods allows you to modify the structure, not just the data, i.e. add additional columns to system tables. Superusers have the capability to modify data in catalog tables and many other things besides, normal users don't. -- Simon Riggs 2ndQuadrant http://www.2ndQuadrant.com
Simon Riggs <simon@2ndquadrant.com> writes: > On Mon, 2007-09-24 at 14:44 +0200, Dawid Kuroczko wrote: >> Hello, I see that I can modify system tables even though I have >> not set allow_system_table_mods... Is this a feature or a bug? > allow_system_table_mods allows you to modify the structure, not just the > data, i.e. add additional columns to system tables. > Superusers have the capability to modify data in catalog tables and many > other things besides, normal users don't. It is possible to disable this by turning off your pg_authid.rolcatupdate flag, but AFAIR there is no handy support for that (eg, no separate ALTER ROLE option). The better advice though is "don't run as superuser except when you absolutely must". You don't do random work as root, do you? regards, tom lane
On 9/24/07, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Simon Riggs <simon@2ndquadrant.com> writes: > > On Mon, 2007-09-24 at 14:44 +0200, Dawid Kuroczko wrote: > >> Hello, I see that I can modify system tables even though I have > >> not set allow_system_table_mods... Is this a feature or a bug? > > > allow_system_table_mods allows you to modify the structure, not just the > > data, i.e. add additional columns to system tables. > > > Superusers have the capability to modify data in catalog tables and many > > other things besides, normal users don't. > > It is possible to disable this by turning off your > pg_authid.rolcatupdate flag, but AFAIR there is no handy support for > that (eg, no separate ALTER ROLE option). > > The better advice though is "don't run as superuser except when you > absolutely must". You don't do random work as root, do you? Nah, actually a friend (user of the other open source RDBMS) asked me if you can overload PostgreSQL builtins (like new()). And it was quite simple. I thought though, that I need allow_system_table_mods for it and it surprised me that I just needed to become superuser... Somehow, when I read documentation, my internal parser omitted the "of the structure" of the "Allows modification of the structure of system tables." sentence. I feel a bit foolish for asking this question, but now I am a bit wiser. Regards, Dawid