Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sAYxp-00Akq2-BI for pgsql-general@arkaria.postgresql.org; Fri, 24 May 2024 17:44:22 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sAYxo-007fNK-Th for pgsql-general@arkaria.postgresql.org; Fri, 24 May 2024 17:44:20 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sAYxo-007fNC-7Y for pgsql-general@lists.postgresql.org; Fri, 24 May 2024 17:44:20 +0000 Received: from mail-lf1-x130.google.com ([2a00:1450:4864:20::130]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sAYxh-001oM7-PP for pgsql-general@lists.postgresql.org; Fri, 24 May 2024 17:44:18 +0000 Received: by mail-lf1-x130.google.com with SMTP id 2adb3069b0e04-5238b5c07efso8712425e87.3 for ; Fri, 24 May 2024 10:44:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bitnine-net.20230601.gappssmtp.com; s=20230601; t=1716572650; x=1717177450; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ImR39Och2yMVd0V88YRTvCnh3bJVlY7hREmo53LYgic=; b=2dne2p3Haqutp/MCgAbm3RgVHwa6azkJGIcUolOeyoLxXj7hVEUMnAkp5kWV7HppVg xINg0FclYM7tPEn9qYYklyPGCo1vhhvj+CyaI+jFXIye9ice9ShzyuW9HKru+Ga1SwSJ cXwQqexPf8YsMp7kAt79ufZUvdzfCosrbRWBPy76gMOx5dZEuPE2pSc3NJmEZJ9Xv5P8 3xv2CcgESmGGzWKPb6Jv4DEE17tuYXXc/K/+tvboCoT0HOr+y/qfp+ZGMYnzu9Kl3n47 sNQLdtYG58wDsqVhulbHIgqn+ClVrpE6QD1RAD8FUoOBOxLa/0+4M0adZC+SIfSBPz7D uF7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716572650; x=1717177450; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ImR39Och2yMVd0V88YRTvCnh3bJVlY7hREmo53LYgic=; b=Me+flwMp/PKbEJ9u02pBW5bYqvWjXD/Xq7lSZYXRr2kAXibaAQ4olHV5fLg01F4j9S sMzsbkdRcqteotzVCInElFoBxSVf4m7uf38HydqTQk+/Xxr31F88HpDhxEi1maehgEOS p9GgGBg4GHON4kU/l3zFM+sWFKhaXBaOdwYPvXpqSMBMAt2xMduscZtQwvHJlm5rmmR2 FLfTc5lYBJMbilNESyEmf8HVj2ly/b4fijjulmJ6Ff0TwjgudxoGYKiTJ5fwMKIRAKHO vtkUunt5DU28370fLwrzzDvMcbqNsuvJTd5nlKfLNjJzXy51u5R90wU4IqspFXVgPtRh FgOQ== X-Forwarded-Encrypted: i=1; AJvYcCWdp62PRh/Ty6VLT4YSxBFqwaIl3JAjGc3C7wui9vCWhkYceE9Li9vE4rbXTt/x3Cl5fvPkw9nb0BAFQyEjdAbp5BYGXE5aXBvRvzbHcDn6BJfY X-Gm-Message-State: AOJu0YxKRFerFJhRDT7ViC2ysAju9B0eXF3e30jiKVn2g8UQxRoEFR6o ZAVYpbdBEhvlx+kFUu3/tblJJsKoSM0pOzqItiupOzjeJKWKMiSykdFv3uqy8pjwcbUgH/88I5G x/zACJ41GAaQRsinF70d3bh7am9a9UDkJlAm9xg== X-Google-Smtp-Source: AGHT+IGGQzgaZlhoYiBEpL0Hs7FTa/zAZihdDrM0n2PLmpHH7mhiJPXVu8/gJl22j1CGv9Bd4aWDSiszfojSGbO9PDA= X-Received: by 2002:ac2:5f1a:0:b0:519:2c84:2405 with SMTP id 2adb3069b0e04-529667cf9f9mr1681026e87.44.1716572650344; Fri, 24 May 2024 10:44:10 -0700 (PDT) MIME-Version: 1.0 References: <671405.1716570133@sss.pgh.pa.us> In-Reply-To: <671405.1716570133@sss.pgh.pa.us> From: Muhammad Salahuddin Manzoor Date: Fri, 24 May 2024 22:43:56 +0500 Message-ID: Subject: Re: prevent users from SELECT-ing from pg_roles/pg_database To: Tom Lane Cc: Andreas Joseph Krogh , pgsql-general Content-Type: multipart/alternative; boundary="0000000000000e29fd061936b70b" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000000e29fd061936b70b Content-Type: text/plain; charset="UTF-8" Greetings, Yes, you are correct. And For applications/systems/scripts relying on this information may require sgnificent modifications to handle the restricted access. Alternative approches can be. Auditing and monitoring. You can use pgaudit extension for auditing and minitoring. Use SE-PostgeSQL extension that give fine grained access control other than PG standard permissions. Try RLS row level security. May involve careful planning and may not cover all use cases. Regards, Salahuddin. On Fri, 24 May 2024, 22:02 Tom Lane, wrote: > Andreas Joseph Krogh writes: > > Hi, is there a way to prevent a user/role from SELECT-ing from certain > > system-tables? > > I'd like the contents of pg_{user,roles,database} to not be visible to > all > > users. > > As noted, you can in principle revoke the public SELECT grant from > those views/catalogs. However, the system is not designed to hide > such information, which means you'll have (at least) two kinds of > issues to worry about: > > 1. Queries or tools breaking that you didn't expect to break. > It's hardly uncommon for instance for queries on pg_class to > join to pg_roles to get the owner names for tables. > > 2. Information leaks. For example, mapping role OID to role name > is trivial with either regrole or pg_get_userbyid(), so it > wouldn't take long to scan the plausible range of role OIDs and > get all their names, even without SQL access to the underlying > catalog. > > regards, tom lane > > > --0000000000000e29fd061936b70b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Greetings,
=
Yes, you are correct. And

For applications/systems/scripts relying=C2=A0 on this inf= ormation may require sgnificent modifications to handle the restricted acce= ss.

Alternative approche= s can be.

Auditing and m= onitoring.
You can use pgaudit extension for auditin= g and minitoring.

Use SE= -PostgeSQL extension that give fine grained access control other than PG st= andard permissions.

Try = RLS row level security. May involve careful planning and may not cover all = use cases.

Regards,
Salahuddin.


<= div class=3D"gmail_quote">
On Fri, 24 = May 2024, 22:02 Tom Lane, <tgl@sss.pgh.pa.us> wrote:
Andreas Joseph Krogh <andreas@visena.com> writes:
> Hi, is there a way to prevent a user/role from SELECT-ing from certain=
> system-tables?
> I'd like the contents of pg_{user,roles,database} to not be visibl= e to all
> users.

As noted, you can in principle revoke the public SELECT grant from
those views/catalogs.=C2=A0 However, the system is not designed to hide
such information, which means you'll have (at least) two kinds of
issues to worry about:

1. Queries or tools breaking that you didn't expect to break.
It's hardly uncommon for instance for queries on pg_class to
join to pg_roles to get the owner names for tables.

2. Information leaks.=C2=A0 For example, mapping role OID to role name
is trivial with either regrole or pg_get_userbyid(), so it
wouldn't take long to scan the plausible range of role OIDs and
get all their names, even without SQL access to the underlying
catalog.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 regards, tom lane


--0000000000000e29fd061936b70b--