Andres Freund <andres@anarazel.de> writes:
> I'm not quite clear what the goal of allow_system_table_mods
> is. Obviously, it's extremely dangerous to target catalogs with DDL. But
> at the same time we allow DML to catalog tables without any sort of
> restriction.
The last is not true, see pg_class_aclmask().
> I also don't understand what's achieved by having
> allow_system_table_mods be PGC_POSTMASTER.
True. Possibly there was some confusion with ignore_system_indexes,
which probably *should* be PGC_POSTMASTER: if you think the system
indexes are corrupt then they're corrupt for everybody.
> Wouldn't it be more sensible to disallow all catalog modifications
> unless allow_system_table_mods was enabled, and make
> allow_system_table_mods PGC_SUSET and GUC_DISALLOW_IN_FILE?
I'm on board with the second part of that but not the first.
DDL on the system catalogs is significantly more dangerous
than DML, so I think that having an extra layer of protection
for it is a good idea.
regards, tom lane