Quick Links

Re: Possibility to disable `ALTER SYSTEM`

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	Jelte Fennema-Nio <postgres(at)jeltef(dot)nl>
Cc:	Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Daniel Gustafsson <daniel(at)yesql(dot)se>, Bruce Momjian <bruce(at)momjian(dot)us>, Joel Jacobson <joel(at)compiler(dot)org>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Gabriele Bartolini <gabriele(dot)bartolini(at)enterprisedb(dot)com>, Magnus Hagander <magnus(dot)hagander(at)redpill-linpro(dot)com>, Maciek Sakrejda <m(dot)sakrejda(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>
Subject:	Re: Possibility to disable `ALTER SYSTEM`
Date:	2024-03-19 16:05:20
Message-ID:	3879337.1710864320@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> writes:
> On Tue, 19 Mar 2024 at 15:52, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> I like this idea. The "bonus" is not optional though, because
>> setting the files' ownership/permissions is the only way to be
>> sure that the prohibition is even a little bit bulletproof.

> I don't agree with this. The only "normal" way of modifying
> postgresql.auto.conf from within postgres is using ALTER SYSTEM, so
> simply disabling ALTER SYSTEM seems enough to me.

I've said this repeatedly: it's not enough. The only reason we need
any feature whatsoever is that somebody doesn't trust their database
superusers to not try to modify the configuration. Given that
requirement, merely disabling ALTER SYSTEM isn't a solution, it's a
fig leaf that might fool incompetent auditors but no more.

If you aren't willing to build a solution that blocks off mods
using COPY TO FILE/PROGRAM and other readily-available-to-superusers
tools (plpythonu for instance), I think you shouldn't bother asking
for a feature at all. Just trust your superusers.

regards, tom lane

In response to

Re: Possibility to disable `ALTER SYSTEM` at 2024-03-19 15:36:43 from Jelte Fennema-Nio

Responses

Re: Possibility to disable `ALTER SYSTEM` at 2024-03-19 16:53:59 from Jelte Fennema-Nio
Re: Possibility to disable `ALTER SYSTEM` at 2024-03-19 16:56:01 from Greg Sabino Mullane

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Peter Eisentraut	2024-03-19 16:13:47	Re: Reducing output size of nodeToString
Previous Message	Michał Kłeczek	2024-03-19 16:00:15	Re: DRAFT: Pass sk_attno to consistent function