Re: CATUPDATE confusion?

On 2/25/15 10:05 PM, Stephen Frost wrote:
> * Peter Eisentraut (peter_e@gmx.net) wrote:
>> On 2/25/15 3:39 PM, Stephen Frost wrote:
>>>> I'd get rid of that whole check, not just replace rolcatupdate by rolsuper.
>>>
>>> Err, wouldn't this make it possible to grant normal users the ability to
>>> modify system catalogs?  I realize that they wouldn't have that
>>> initially, but I'm not sure we want the superuser to be able to grant
>>> that to non-superusers..
>>
>> Why not?  I thought we are trying to get rid of special superuser behavior.
> 
> Agreed, but I'd also like to get rid of any reason, beyond emergency
> cases, for people to modify the catalog directly.  There's a few places
> which we aren't yet doing that, but I'd rather fix those cases than
> encourage people to give out rights to modify them and end up making
> things like:
> 
> "UPDATE pg_database SET datallowconn = false where datname = 'xyz';"
> 
> an accepted interface.

I'm not sure those things are related.

Getting rid of the *reasons* for updating catalogs directly might be
worthwhile, but I don't see why we need to install (or maintain) a
special invisible permission trap for it.  We have a permission system,
and it works pretty well.

The Unix kernels don't have special traps for someone to modify
/etc/shadow or similar directly.  That file has appropriate permissions,
and that's it.  I think that works pretty well.