Re: Isn't pg_statistic a security hole?

> Right now anyone can look in pg_statistic and discover the min/max/most
> common values of other people's tables.  That's not a lot of info, but
> it might still be more than you want them to find out.  And the
> statistical changes that I'm about to commit will allow a couple dozen
> values to be exposed, not only three values per column.
> 
> It seems to me that only superusers should be allowed to read the
> pg_statistic table.  Or am I overreacting?  Comments?

You are not overreacting.  Imagine a salary column.  I can imagine
max/min being quite interesting.

I doubt it is worth letting non-super users see values in that table. 
Their only value is in debugging the optimizer, which seems like a
super-user job anyway.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026