public inbox for [email protected]
help / color / mirror / Atom feedFrom: Fujii Masao <[email protected]>
To: Nisha Moond <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: Fix column privileges for pg_subscription.subwalrcvtimeout
Date: Tue, 2 Jun 2026 11:46:20 +0900
Message-ID: <CAHGQGwEOvk0ioxT+eGX-6vHO=2kQRXwKcbOku0qW2cEZ0DnJiQ@mail.gmail.com> (raw)
In-Reply-To: <CABdArM4uA=6nA0BunJwudiEoY1BcWUS_oj_2pkEq_d-YdiBJhw@mail.gmail.com>
References: <CABdArM4uA=6nA0BunJwudiEoY1BcWUS_oj_2pkEq_d-YdiBJhw@mail.gmail.com>
On Mon, Jun 1, 2026 at 10:44 PM Nisha Moond <[email protected]> wrote:
>
> Hi Hackers,
>
> IIUC, all columns of pg_subscription, except subconninfo, are intended
> to be readable by non-superusers as well. A comment in
> system_views.sql also states:
> "-- All columns of pg_subscription except subconninfo are publicly readable."
>
> However, 'subwalrcvtimeout' is currently not accessible:
> Test:
> postgres=# CREATE ROLE nisha LOGIN PASSWORD 'testpass';
> CREATE ROLE
> postgres=# SET SESSION AUTHORIZATION nisha;
> SET
> postgres=> select subwalrcvtimeout from pg_subscription;
> ERROR: permission denied for table pg_subscription
>
> It appears the column-level privileges for pg_subscription were not
> updated when subwalrcvtimeout was added.
>
> Attached is a small fix patch to grant public access to this column,
> consistent with the existing behavior of the other pg_subscription
> columns.
Thanks for the report and the patch! It looks good to me.
Barring any objections, I'll commit it. For my own reference, since this
changes the catalog, I'll need to update the catalog version when committing.
BTW, should we add a regression test for column privileges on pg_subscription
to help catch similar issues in the future? For example, the test could verify
that subconninfo remains unreadable to non-superusers, while all other existing
columns remain publicly readable. That would make it easier to detect omissions
when new columns are added to pg_subscription. For example,
SELECT count(*) = 0 AS ok
FROM pg_attribute
WHERE attrelid = 'pg_catalog.pg_subscription'::regclass
AND attnum > 0
AND NOT attisdropped
AND ((attname = 'subconninfo'
AND has_column_privilege('regress_subscription_user_dummy',
'pg_catalog.pg_subscription',
attname,
'SELECT'))
OR (attname <> 'subconninfo'
AND NOT
has_column_privilege('regress_subscription_user_dummy',
'pg_catalog.pg_subscription',
attname,
'SELECT')));
Regards,
--
Fujii Masao
view thread (7+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Fix column privileges for pg_subscription.subwalrcvtimeout
In-Reply-To: <CAHGQGwEOvk0ioxT+eGX-6vHO=2kQRXwKcbOku0qW2cEZ0DnJiQ@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox