Re: prevent users from SELECT-ing from pg_roles/pg_database

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Andreas Joseph Krogh <[email protected]>
To: Tom Lane <[email protected]>
Cc: [email protected]
Subject: Re: prevent users from SELECT-ing from pg_roles/pg_database
Date: Mon, 27 May 2024 09:33:51 +0200 (CEST)
Message-ID: <VisenaEmail.6d.85d4cf952480c677.18fb8f6e74b@origo-test01.app.internal.visena.net> (raw)
In-Reply-To: <[email protected]>
References: <VisenaEmail.66.54f51e587b38c9cc.18fab4b4eb6@origo-test01.app.internal.visena.net>
	<[email protected]>

På fredag 24. mai 2024 kl. 19:02:13, skrev Tom Lane <[email protected] 
<mailto:[email protected]>>:
Andreas Joseph Krogh <[email protected]> writes:
> Hi, is there a way to prevent a user/role from SELECT-ing from certain 
> system-tables?
> I'd like the contents of pg_{user,roles,database} to not be visible to all 
> users.

As noted, you can in principle revoke the public SELECT grant from
those views/catalogs. However, the system is not designed to hide
such information, which means you'll have (at least) two kinds of
issues to worry about:

1. Queries or tools breaking that you didn't expect to break.
It's hardly uncommon for instance for queries on pg_class to
join to pg_roles to get the owner names for tables.

2. Information leaks. For example, mapping role OID to role name
is trivial with either regrole or pg_get_userbyid(), so it
wouldn't take long to scan the plausible range of role OIDs and
get all their names, even without SQL access to the underlying
catalog.

regards, tom lane

I tried:
REVOKE SELECT ON pg_catalog.pg_database FROM public;
But that doesn't prevent a normal user from querying pg_database it seems…

--
Andreas Joseph Krogh
CTO / Partner - Visena AS
Mobile: +47 909 56 963
[email protected] <mailto:[email protected]>
www.visena.com <https://www.visena.com;
 <https://www.visena.com;

view thread (6+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: prevent users from SELECT-ing from pg_roles/pg_database
  In-Reply-To: <VisenaEmail.6d.85d4cf952480c677.18fb8f6e74b@origo-test01.app.internal.visena.net>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox