Re: Effects of REVOKE SELECT ON ALL TABLES IN SCHEMA pg_catalog FROM PUBLIC

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Greg Sabino Mullane <[email protected]>
To: Andreas Joseph Krogh <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: [email protected]
Subject: Re: Effects of REVOKE SELECT ON ALL TABLES IN SCHEMA pg_catalog FROM PUBLIC
Date: Thu, 12 Sep 2024 09:05:48 -0400
Message-ID: <CAKAnmm+SrS1=ggcc9qCAXd=uzJWzwH_CciM+aRr-PtDZjrEuRA@mail.gmail.com> (raw)
In-Reply-To: <VisenaEmail.1.4f10ceb0099d6ab1.191e48a6946@origo-test01.app.internal.visena.net>
References: <VisenaEmail.0.81936c517b2d9cfe.191e44de951@origo-test01.app.internal.visena.net>
	<[email protected]>
	<VisenaEmail.1.4f10ceb0099d6ab1.191e48a6946@origo-test01.app.internal.visena.net>

On Thu, Sep 12, 2024 at 12:52 AM Andreas Joseph Krogh <[email protected]>
wrote:

> I know PG is not designed for this, but I have this requirement
> nonetheless…
> I think preventing “most users and tools" from seeing/presenting this
> information is “good enough”.
>

As pointed out, there are very many workarounds. This is security theater.

If read-access (SELECT) on views in public-schema will still works, and
> pg_dump/restore etc. also works, this sounds like a solution to me.
>

pg_dump will absolutely not work without access to the system catalogs.

If you want to prevent information, stop direct access and make the
application call user functions.

(Also note that determining if a database or user exists does not even
require a successful login to the cluster.)

Cheers,
Greg

view thread (7+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Effects of REVOKE SELECT ON ALL TABLES IN SCHEMA pg_catalog FROM PUBLIC
  In-Reply-To: <CAKAnmm+SrS1=ggcc9qCAXd=uzJWzwH_CciM+aRr-PtDZjrEuRA@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox