Re: [HACKERS] pg_user "sealed"

Marc wrote:
>
>
> Okay...
>
>    I've modified initdb.sh so that ALL is revoked from pg_user, with
> a view being created to look into it for usename and usesysid, which are
> required by psql...
>
>    This gets it so that psql works for \d
>
>    I tried to do a rewrite rule on db_user such that password would
> become '*********', but that does't appear to work?
>
>    Reports of any problems associated with any of the pg_ system
> tables, please let me know

    Since  you changed ACL_WORLD_DEFAULT to ACL_NO too, there are
    now problems on \d <table> (pg_attribute: Permission denied).
    And  thus  I expect more problems.  I think users should have
    SELECT permission on non-critical system catalogs by default.

    But  I  don't  think that setting explicit GRANT's on all the
    system catalogs is a good thing. Due to  the  ACL  parsing  I
    would expect some loss of performance.

    So   if   the   relname   is   given   to   acldefault()   in
    utils/adt/acl.c, it can do a IsSystemRelationName() on it and
    return ACL_RD instead of ACL_WORLD_DEFAULT.


Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#======================================== jwieck@debis.com (Jan Wieck) #