Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sokMA-00DW5E-VL for pgsql-general@arkaria.postgresql.org; Thu, 12 Sep 2024 13:59:35 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sokM9-008xb5-KV for pgsql-general@arkaria.postgresql.org; Thu, 12 Sep 2024 13:59:33 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sokM9-008xVq-8H for pgsql-general@lists.postgresql.org; Thu, 12 Sep 2024 13:59:33 +0000 Received: from mail-lj1-x22b.google.com ([2a00:1450:4864:20::22b]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sokM5-000pQB-LL for pgsql-general@lists.postgresql.org; Thu, 12 Sep 2024 13:59:32 +0000 Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2f74b6e1810so9242751fa.2 for ; Thu, 12 Sep 2024 06:59:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726149570; x=1726754370; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=f7MUwpnBHPTmkF3c4XhY2W5nXQylU3QDxvLvqBM/Ask=; b=Zf4eVBDP3ngVyCXirwKlrbh+t6cry/Yg5tLUi4v1vRNrKp1KmH11s+etLmkR+rD7a6 Td+hdFJOkbYCRWlQtt/bXSV3Al0PhYD7RARR3eb4CvPvaoo+dPgqddSwJRRHnGJXNa4a 23Cusd2V678N7/8Rq7t5/pnJ6B1hZfL6y1RGeCLBX8vGSvBZvnhwqOOsqBxfZGGhCS7S Bax08mIi1COsUuzuYY3E/A/k2UYFyGiqFvACNM+ar4SdpuXpGBe2c0VH+ByQNlMkaHxF ay5Tgkm0y155w+GylRT1eg56TS2Yx1J/7wjspiwzawFT2jCsZvs6i3XvzeNYkZNmZT4j OXGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726149570; x=1726754370; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=f7MUwpnBHPTmkF3c4XhY2W5nXQylU3QDxvLvqBM/Ask=; b=jpUeIxwzOA8ANQtiUz6fOBr/B/0rg3i48Kq1yfvidRI4OB/8M+UoEPuxFWfM/O6uMH agdgM97t1HMXLtTcEIWLkKXiZV0bolfsikmWiS0Fh1LYA7MhH3pHFDwlmTebmT+yh6x6 4N2/zmdC9c67aU9l/wh8GdefddmYFZAWw5ZMZeU0tApfJxIOAfG4mIxyyYkf0oCAgUaU JmmiBP4/z6EIxaiD6KJAJqYrfrDK6KIbbce6lHMhk5yTLrgcBlbnwohi8jgdIMSfrpC2 fEibV8HWpLz+C/PgerjeegUm9+avuF/Ag9xneL/VsckexzK4kqczCmtddIoCHJDoCUxT cQ0g== X-Forwarded-Encrypted: i=1; AJvYcCWYBLQfju5FGTxx9QHkwjaC7LvMRkJx3UsYPvL/MgTxVEZ7OAjMKI72YHpQqWuy72F9OYuK7ntdGU2k9qUR@lists.postgresql.org X-Gm-Message-State: AOJu0YzZqS+S+SPDLgj7WrZqDwg0zVFh4zMF9S3cJmrubzl3McXdg4cY DXW371EF9gCbC5kZHwcsIUQL8tCFqURpuThqIWHRbCwZRMRiPr3gCyfWPA5/aoMrJ8QLYNmcD4/ eFpSRO1E3rIXO9sJLN6zkfH/A5pf8huXf X-Google-Smtp-Source: AGHT+IHgsg11Dgt2xmsWbsb6l++r9TSiOU6GS2wPgRSNEldYiTpCkMrRw3KLVTUkGMv44jZ0VvvVysMtjMe/LdREqew= X-Received: by 2002:a2e:a58a:0:b0:2f6:6101:5a6c with SMTP id 38308e7fff4ca-2f787da4fcdmr17192771fa.5.1726149569523; Thu, 12 Sep 2024 06:59:29 -0700 (PDT) MIME-Version: 1.0 References: <3952715.1726115805@sss.pgh.pa.us> In-Reply-To: From: Greg Sabino Mullane Date: Thu, 12 Sep 2024 09:58:53 -0400 Message-ID: Subject: Re: Effects of REVOKE SELECT ON ALL TABLES IN SCHEMA pg_catalog FROM PUBLIC To: Andreas Joseph Krogh Cc: Tom Lane , pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="000000000000ebb8d70621ec835f" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000ebb8d70621ec835f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Sep 12, 2024 at 9:21=E2=80=AFAM Andreas Joseph Krogh wrote: > Yes, it *is* theater, but that doesn't prevent =E2=80=9Ccompliance people= =E2=80=9D to > care about it. We have to take measures to prevent =E2=80=9Cinformation l= eaks=E2=80=9D. > *shrug* Then the compliance people are not good at their jobs, frankly. But if it works for you, go ahead. As Tom said, it will work 95% of the time. But it will break things that should work, and it will not prevent the ability to get the information in other ways. To be clear, we never recommend messing with the system catalogs, and this falls under the umbrella of messing with the system catalogs. Cheers, Greg --000000000000ebb8d70621ec835f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Sep 12, 2024 at 9:21=E2=80=AFAM A= ndreas Joseph Krogh <andreas@visen= a.com> wrote:
Yes, it is theater, but that d= oesn't prevent =E2=80=9Ccompliance people=E2=80=9D to care about it. We= have to take measures to prevent =E2=80=9Cinformation leaks=E2=80=9D.

*shrug* Then the compliance=C2=A0people a= re not good at their jobs, frankly.

But if it work= s for you, go ahead. As Tom said, it will work 95% of the time. But it will= break things that should work, and it will not prevent the ability to get = the information in other ways. To be clear, we never recommend messing with= the system catalogs, and this falls under the umbrella=C2=A0of messing wit= h the system catalogs.

Cheers,
Greg

--000000000000ebb8d70621ec835f--