Re: Possibility to disable `ALTER SYSTEM`

Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> On Thu, Mar 14, 2024 at 3:13 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> With the possible exception of #1, every one of these is easily
>> defeatable by an uncooperative superuser. I'm not excited about
>> adding a "security" feature with such obvious holes in it.

> We're going to document that it's not a security feature along the
> lines of what Magnus suggested in
> http://postgr.es/m/CABUevEx9m=CV8=WpXVW+rtVVs858kDJ6YpRkExV7n+F6MK05CQ@mail.gmail.com

The patch-of-record contains no such wording. And if this isn't a
security feature, then what is it? If you have to say to your
(super) users "please don't mess with the system configuration",
you might as well just trust them not to do it the easy way as not
to do it the hard way. If they're untrustworthy, why have they
got superuser?

What I think this is is a loaded foot-gun painted in kid-friendly
colors. People will use it and then file CVEs about how it did
not turn out to be as secure as they imagined (probably without
reading the documentation).

regards, tom lane