Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sAYJ6-00Afek-Ud
	for pgsql-general@arkaria.postgresql.org; Fri, 24 May 2024 17:02:18 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sAYJ6-007GIY-UM
	for pgsql-general@arkaria.postgresql.org; Fri, 24 May 2024 17:02:16 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sAYJ6-007GIQ-JQ
	for pgsql-general@lists.postgresql.org; Fri, 24 May 2024 17:02:16 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sAYJ4-001o6H-5A
	for pgsql-general@lists.postgresql.org; Fri, 24 May 2024 17:02:15 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 44OH2DW5671406;
	Fri, 24 May 2024 13:02:13 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Andreas Joseph Krogh <andreas@visena.com>
cc: pgsql-general@lists.postgresql.org
Subject: Re: prevent users from SELECT-ing from pg_roles/pg_database
In-reply-to: <VisenaEmail.66.54f51e587b38c9cc.18fab4b4eb6@origo-test01.app.internal.visena.net>
References: <VisenaEmail.66.54f51e587b38c9cc.18fab4b4eb6@origo-test01.app.internal.visena.net>
Comments: In-reply-to Andreas Joseph Krogh <andreas@visena.com>
	message dated "Fri, 24 May 2024 17:51:59 +0200"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <671404.1716570133.1@sss.pgh.pa.us>
Date: Fri, 24 May 2024 13:02:13 -0400
Message-ID: <671405.1716570133@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/671405.1716570133%40sss.pgh.pa.us>
Precedence: bulk

Andreas Joseph Krogh <andreas@visena.com> writes:
> Hi, is there a way to prevent a user/role from SELECT-ing from certain 
> system-tables?
> I'd like the contents of pg_{user,roles,database} to not be visible to all 
> users.

As noted, you can in principle revoke the public SELECT grant from
those views/catalogs.  However, the system is not designed to hide
such information, which means you'll have (at least) two kinds of
issues to worry about:

1. Queries or tools breaking that you didn't expect to break.
It's hardly uncommon for instance for queries on pg_class to
join to pg_roles to get the owner names for tables.

2. Information leaks.  For example, mapping role OID to role name
is trivial with either regrole or pg_get_userbyid(), so it
wouldn't take long to scan the plausible range of role OIDs and
get all their names, even without SQL access to the underlying
catalog.

			regards, tom lane