Re: should we allow users with a predefined role to access pg_backend_memory_contexts view and pg_log_backend_memory_contexts function?

Robert Haas <robertmhaas@gmail.com>

From: Robert Haas <robertmhaas@gmail.com>
To: Jeff Davis <pgsql@j-davis.com>
Cc: Stephen Frost <sfrost@snowman.net>, Isaac Morland <isaac.morland@gmail.com>, "Bossart, Nathan" <bossartn@amazon.com>, Bharath Rupireddy <bharath.rupireddyforpostgres@gmail.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2021-10-15T13:08:27Z
Lists: pgsql-hackers
On Thu, Oct 14, 2021 at 3:02 PM Jeff Davis <pgsql@j-davis.com> wrote:
> How do you feel about at least allowing the functions to execute (and
> if it's SECURITY INVOKER, possibly encountering a permissions failure
> during execution)?

I think we'd at least need to check that the view owner has execute
permission on the function. I'm not sure whether there are any other
gotchas.

> There are of course security implications with any change like that,
> but it seems like a fairly minor one unless I'm missing something. Why
> would an admin give someone the privileges to read a view if it will
> always fail due to lack of execute privilege?

An excellent question.

-- 
Robert Haas
EDB: http://www.enterprisedb.com



Commits

  1. Grant memory views to pg_read_all_stats.