Re: [HACKERS] pg_user "sealed"
Marc Fournier <scrappy@hub.org>
From: The Hermit Hacker <scrappy@hub.org>
To: Jan Wieck <jwieck@debis.com>
Cc: pgsql-hackers@postgreSQL.org
Date: 1998-02-23T20:01:12Z
Lists: pgsql-hackers
On Mon, 23 Feb 1998, Jan Wieck wrote: > > Marc wrote: > > > > > > Okay... > > > > I've modified initdb.sh so that ALL is revoked from pg_user, with > > a view being created to look into it for usename and usesysid, which are > > required by psql... > > > > This gets it so that psql works for \d > > > > I tried to do a rewrite rule on db_user such that password would > > become '*********', but that does't appear to work? > > > > Reports of any problems associated with any of the pg_ system > > tables, please let me know > > Since you changed ACL_WORLD_DEFAULT to ACL_NO too, there are > now problems on \d <table> (pg_attribute: Permission denied). > And thus I expect more problems. I think users should have > SELECT permission on non-critical system catalogs by default. Okay, I've just been adding in appropriate 'GRANT SELECT's inside of initdb.sh, for lack of a better idea... > But I don't think that setting explicit GRANT's on all the > system catalogs is a good thing. Due to the ACL parsing I > would expect some loss of performance. > > So if the relname is given to acldefault() in > utils/adt/acl.c, it can do a IsSystemRelationName() on it and > return ACL_RD instead of ACL_WORLD_DEFAULT. ...which this definitely sound like :) Want to make the change and send me a patch?