Thread: How to control pg_catalog results for each users?
Hello, PostgreSQL provides pg_catalog as a system catalog. However, PostgreSQL does not allow different users to retrieve different table structures or table names using pg_catalog. For example, when SELECT * FROM pg_catalog.pg_tables is executed by User1 and User2, it is not possible to get different results. In PostgreSQL, row-level security can be used to control rows in normal tables. However, row-level security is not possible to set this for pg_catalog, and all users can get the all of table name , table structure and other information from pg_catalog, which is considered a security problem. (REVOKE to the system catalog is not restricted, REVOKE can control access to system catalogs on a per-table basis) Has there been any discussion or development on controlling this system catalog information on a per-user basis? Regards, Shigeo Hirose
On Sunday, January 29, 2023, hirose shigeo(廣瀬 繁雄 □SWC○ACT) <shigeo.hirose@toshiba.co.jp> wrote:
Has there been any discussion or development on controlling this system catalog information on a per-user
I found this one:
David J.
"David G. Johnston" <david.g.johnston@gmail.com> writes: > On Sunday, January 29, 2023, hirose shigeo(廣瀬 繁雄 □SWC○ACT) < > shigeo.hirose@toshiba.co.jp> wrote: >> Has there been any discussion or development on controlling this system >> catalog information on a per-user > I found this one: > https://www.postgresql.org/message-id/flat/20160107032927.GT3685%40tamriel.snowman.net#6d9e59a0d052e7bdccd5a6c4e7a44a3f There have been a ton of discussions around this area over the years. The short answer is that if you think you need to prevent people from seeing the contents of the system catalogs, Postgres is not the database for you. I don't really foresee that changing, because it would break at least as many use-cases as it would enable. The thread David referenced only talks about side-effects on pg_dump, but there are many other applications that would be just as broken if we restricted this. regards, tom lane
On Mon, 2023-01-30 at 14:00 +0900, hirose shigeo(廣瀬 繁雄 □SWC○ACT) wrote: > all users can get the all of table name , table structure and other > information from pg_catalog, which is considered a security problem. The belief that restricting that will improve security goes by the name of "security by obscurity", which is usually not considered robust. Yours, Laurenz Albe
On 1/30/23 02:41, Laurenz Albe wrote: > On Mon, 2023-01-30 at 14:00 +0900, hirose shigeo(廣瀬 繁雄 □SWC○ACT) wrote: >> all users can get the all of table name , table structure and other >> information from pg_catalog, which is considered a security problem. > The belief that restricting that will improve security goes by the name > of "security by obscurity", which is usually not considered robust. Your description sounds a whole lot like PostgreSQL's row level security. -- Born in Arizona, moved to Babylonia.
> There have been a ton of discussions around this area over the years. > The short answer is that if you think you need to prevent people > from seeing the contents of the system catalogs, Postgres is not > the database for you. I don't really foresee that changing, because > it would break at least as many use-cases as it would enable. The > thread David referenced only talks about side-effects on pg_dump, > but there are many other applications that would be just as broken > if we restricted this. Thank you for information. I understood community's concern and policy. Regards, Shigeo Hirose