pg_read_all_settings#
What is pg_read_all_settings?#
pg_read_all_settings is a built-in role that allows a user to read all PostgreSQL configuration settings.
- In simple words:
βI can see how the server is configured.β
What pg_read_all_settings CAN do#
- A role with this privilege can:
Read all configuration parameters
- Including:
shared_buffers
work_mem
maintenance_work_mem
max_connections
wal_level
log_statement
ssl, ssl_ciphers
archive_mode
autovacuum_*
listen_addresses
From:
SHOW ALL;
Or:
SELECT * FROM pg_settings;
- What it CANNOT do
β Change settings
β Reload config
β Restart server
β Read data from tables
β Access files
β Execute OS commands
It is read-only.
Why this role exists
Normally:
SELECT * FROM pg_settings;
returns only non-sensitive settings
- But with pg_read_all_settings:
You see everything
Including hidden / sensitive parameters
Security considerations
Risk area |
Impact |
|---|---|
Data confidentiality |
π’ Safe |
Server topology exposure |
π΄ Medium |
Performance tuning secrets |
π‘ Medium |
OS security |
π’ Safe |
- Examples of sensitive info exposed:
File paths (data_directory)
SSL config
WAL/archive paths
Logging policies
Memory limits
Mental model
pg_read_all_settings = βRead the serverβs brain, but donβt touch it.β
Example
Without role
SELECT * FROM pg_settings;
-- some rows hidden
With role
GRANT pg_read_all_settings TO analyst;
SELECT name, setting FROM pg_settings;
-- full list visible
Typical users for this role
- β Good candidates
DBAs (read-only)
Performance engineers
Observability tools
Monitoring agents
Infrastructure auditors
- β Bad candidates
Application users
External customers
BI users (usually unnecessary)
How it fits with other roles
Role |
Purpose |
|---|---|
pg_read_all_settings |
βοΈ Read config |
pg_read_all_stats |
π Read stats |
pg_monitor |
π Combined observability |
pg_read_all_data |
π Read data |
pg_write_all_data |
βοΈ Write data |
Note
pg_monitor already includes pg_read_all_settings.
- βοΈ Cloud behavior (AWS RDS / Cloud SQL)
Fully supported
Does not expose host OS
Safe for monitoring stacks (Prometheus, Datadog, etc.)
- Best practice
β Grant to monitoring roles
β Combine with pg_read_all_stats
β Donβt grant to app roles
Summary
Feature |
Allowed |
|---|---|
Read pg_settings |
β |
SHOW ALL |
β |
Modify settings |
β |
Restart server |
β |
Access data |
β |