Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sBk4u-000zcr-9Z
	for pgsql-general@arkaria.postgresql.org; Mon, 27 May 2024 23:48:33 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sBk4r-0080Ex-Vk
	for pgsql-general@arkaria.postgresql.org; Mon, 27 May 2024 23:48:29 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sBk4r-0080Eo-Ks
	for pgsql-general@lists.postgresql.org; Mon, 27 May 2024 23:48:29 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sBk4k-0015cd-8k
	for pgsql-general@lists.postgresql.org; Mon, 27 May 2024 23:48:28 +0000
Received: from pro.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 44RNmH2T1304611;
	Mon, 27 May 2024 19:48:18 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Laurenz Albe <laurenz.albe@cybertec.at>
cc: Andreas Joseph Krogh <andreas@visena.com>,
        pgsql-general@lists.postgresql.org
Subject: Re: prevent users from SELECT-ing from pg_roles/pg_database
In-reply-to: <4e9105a9dc7ab095a0a85886d53646c9195167f6.camel@cybertec.at>
References: <VisenaEmail.66.54f51e587b38c9cc.18fab4b4eb6@origo-test01.app.internal.visena.net> <671405.1716570133@sss.pgh.pa.us> <VisenaEmail.6d.85d4cf952480c677.18fb8f6e74b@origo-test01.app.internal.visena.net> <bd7905e2e1a920fb5ed3b8fa9ab0d7c8e8f2b52d.camel@cybertec.at> <VisenaEmail.78.618b04b43c3c1729.18fb965291c@origo-test01.app.internal.visena.net> <4e9105a9dc7ab095a0a85886d53646c9195167f6.camel@cybertec.at>
Comments: In-reply-to Laurenz Albe <laurenz.albe@cybertec.at>
	message dated "Mon, 27 May 2024 12:45:02 +0200"
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-ID: <1665.1716853697.1@sss.pgh.pa.us>
Content-Transfer-Encoding: quoted-printable
Date: Mon, 27 May 2024 16:48:17 -0700
Message-ID: <1666.1716853697@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/1666.1716853697%40sss.pgh.pa.us>
Precedence: bulk

Laurenz Albe <laurenz.albe@cybertec.at> writes:
> On Mon, 2024-05-27 at 09:33 +0200, Andreas Joseph Krogh wrote:
>> I tried:
>> =C2=A0 =C2=A0REVOKE SELECT ON pg_catalog.pg_database FROM public;
>> But that doesn't prevent a normal user from querying pg_database it see=
ms=E2=80=A6

> It works here.

Works for me too, although you'd have to do it over in each
database where you want it to be effective.  (Although
pg_database is a shared catalog, the metadata about it
is not shared.)

			regards, tom lane