Re: ALTER SYSTEM vs symlink

On Tue, Nov 3, 2015 at 6:08 AM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> On Mon, Nov 2, 2015 at 3:41 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>>> Two different methods of restricting ALTER SYSTEM have already been
>>> discussed on this thread: one using file permissions, and the other
>>> using ProcessUtility_hook. I personally think that's good enough.
>>
>> The issue which I have with these suggestions is that one requires users
>> to install an as-yet-unwritten module and the other is to hack with
>> permissions in the data directory. As we've all seen, people playing in
>> $PGDATA is generally a bad idea.
>
> Well, fair enough. I think somebody could write that module in about
> an hour, though. All you have to do is latch onto ProcessUtility_hook
> and throw an error if you've got yourself an AlterSystemStmt.

BTW, I wrote that module 9 month before for pleasure.
https://github.com/MasaoFujii/pg_disallow_utility

If we want to prevent superuser from modifying the configuration file,
not only ALTER SYSTEM but also COPY PROGRAM should be restricted.
Otherwise, superuser can execute arbitrary OS command via COPY PROGRAM
and easily modify any file.

Regards,

--
Fujii Masao