Greetings, The way permissions on catalog objects are handled isn't discussed at all in the documentation. Barring objections, I'll commit and back-patch the attached to improve that situation in the next day or so.
Thanks! Stephen
From ad8e663893ea906238a9c0346bf8791eafe3d333 Mon Sep 17 00:00:00 2001
From: Stephen Frost <sfr...@snowman.net>
Date: Wed, 10 Feb 2016 13:28:11 -0500
Subject: [PATCH] Add note regarding permissions in pg_catalog
Add a note to the system catalog section pointing out that while
modifying the permissions on catalog tables is possible, it's
unlikely to have the desired effect.
---
doc/src/sgml/catalogs.sgml | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 412c845..3e8ebee 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -21,6 +21,17 @@
particularly esoteric operations, such as adding index access methods.
</para>
+ <note>
+ <para>
+ Changing the permissions on objects in the system catalogs, while
+ possible, is unlikely to have the desired effect as the internal
+ lookup functions use a cache and do not check the permissions nor
+ policies of tables in the system catalog. Further, permission
+ changes to objects in the system catalogs are not preserved by
+ pg_dump or across upgrades.
+ </para>
+ </note>
+
<sect1 id="catalogs-overview">
<title>Overview</title>
--
2.5.0
signature.asc
Description: Digital signature
