Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sobZa-00CT37-MX for pgsql-general@arkaria.postgresql.org; Thu, 12 Sep 2024 04:36:51 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sobZa-00F1Ru-AQ for pgsql-general@arkaria.postgresql.org; Thu, 12 Sep 2024 04:36:50 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sobZZ-00F1Rl-Vh for pgsql-general@lists.postgresql.org; Thu, 12 Sep 2024 04:36:49 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sobZV-000kxq-TQ for pgsql-general@lists.postgresql.org; Thu, 12 Sep 2024 04:36:49 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 48C4ajWk3952716; Thu, 12 Sep 2024 00:36:45 -0400 From: Tom Lane To: Andreas Joseph Krogh cc: pgsql-general@lists.postgresql.org Subject: Re: Effects of REVOKE SELECT ON ALL TABLES IN SCHEMA pg_catalog FROM PUBLIC In-reply-to: References: Comments: In-reply-to Andreas Joseph Krogh message dated "Thu, 12 Sep 2024 05:41:03 +0200" MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-ID: <3952714.1726115805.1@sss.pgh.pa.us> Content-Transfer-Encoding: quoted-printable Date: Thu, 12 Sep 2024 00:36:45 -0400 Message-ID: <3952715.1726115805@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Andreas Joseph Krogh writes: > Motivation: I have PowerBI users, with a separate =E2=80=98reporting=E2=80= =99-role, accessing = > a database and I want to prevent them from listing all tables, users, da= tabases = > and view-definitions (to not see the underlying query). Postgres is not designed to support this requirement. > I'm evaluating this: > REVOKE SELECT ON ALL TABLES IN SCHEMA pg_catalog FROM PUBLIC; REVOKE SEL= ECT ON = > ALL TABLES IN SCHEMA information_schema FROM PUBLIC; > Will this affect =E2=80=9Cnormal behaviour=E2=80=9D, ie. prevent the pla= nner, or other = > internal mechanisms, from working properly for sessions logged in with t= he = > =E2=80=98reporting=E2=80=99-role? Probably 95% of that stuff will still work. By the same token, there are plenty of information-leaking code pathways that will still leak. For instance, your restricted user will have no trouble discovering the OIDs and names of all extant tables, using something like do $$ begin for tid in 1..1000000 loop if tid::regclass::text !=3D tid::text then raise notice 'tid % is %', tid, tid::regclass; end if; end loop; end $$; Functions such as pg_describe_object still work fine, too. Experimenting with psql, a lot of stuff is broken as expected: busted=3D> \d mytable ERROR: permission denied for table pg_class but some things still work: busted=3D> \sf sin CREATE OR REPLACE FUNCTION pg_catalog.sin(double precision) RETURNS double precision LANGUAGE internal IMMUTABLE PARALLEL SAFE STRICT AS $function$dsin$function$ This is pretty much the other side of the same coin. The reason you can still parse and plan a query is that it does not occur to large parts of the backend that there should be any reason to refuse to read a system catalog. That carries over to these operations as well. This recent thread might be enlightening: https://www.postgresql.org/message-id/flat/18604-04d64b68e981ced6%40postgr= esql.org If you have a requirement like this, I think the only safe way to meet it is to not give those users direct SQL access. Put some kind of restrictive app in front of the database. regards, tom lane