Re: Isn't pg_statistic a security hole?
| От | Tom Lane |
|---|---|
| Тема | Re: Isn't pg_statistic a security hole? |
| Дата | |
| Msg-id | 23526.989276061@sss.pgh.pa.us обсуждение |
| Ответ на | Re: Isn't pg_statistic a security hole? (Bruce Momjian <pgman@candle.pha.pa.us>) |
| Список | pgsql-hackers |
Bruce Momjian <pgman@candle.pha.pa.us> writes:
>> It seems to me that only superusers should be allowed to read the
>> pg_statistic table. Or am I overreacting? Comments?
> You are not overreacting. Imagine a salary column. I can imagine
> max/min being quite interesting.
A fine example, indeed ;-)
> I doubt it is worth letting non-super users see values in that table.
> Their only value is in debugging the optimizer, which seems like a
> super-user job anyway.
Well, mumble. I routinely ask people who're complaining of bad plans
for extracts from their pg_statistic table. I don't foresee that need
vanishing any time soon :-(. The idea of a view seemed nice, in part
because it could be set up to give all the useful info with a simple
select * from pg_statview where relname = 'foo';
rather than the messy three-way join you have to type now.
regards, tom lane
В списке pgsql-hackers по дате отправления: