Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 03:43:28PM +0100, Jelte Fennema-Nio wrote:
> + </term>
> + <listitem>
> + <para>
> + When <literal>allow_alter_system</literal> is set to
> + <literal>on</literal>, an error is returned if the <command>ALTER
> + SYSTEM</command> command is used. This parameter can only be set in
> + the <filename>postgresql.conf</filename> file or on the server command
> + line. The default value is <literal>on</literal>.
> + </para>

Uh, the above is clearly wrong. I think you mean "off" on the second line.

> +
> + <para>
> + Note that this setting cannot be regarded as a security feature. It
> + only disables the <literal>ALTER SYSTEM</literal> command. It does not
> + prevent a superuser from changing the configuration remotely using

Why "remotely"?

> + other means. A superuser has many ways of executing shell commands at
> + the operating system level, and can therefore modify
> + <literal>postgresql.auto.conf</literal> regardless of the value of
> + this setting. The purpose of the setting is to prevent
> + <emphasis>accidental</emphasis> modifications via <literal>ALTER
> + SYSTEM</literal> in environments where
> + <productname>PostgreSQL</productname> its configuration is managed by

"its"?

> + some outside mechanism. In such environments, using <command>ALTER
> + SYSTEM</command> to make configuration changes might appear to work,
> + but then may be discarded at some point in the future when that outside

"might"

> + mechanism updates the configuration. Setting this parameter to
> + <literal>on</literal> can help to avoid such mistakes.
> + </para>

"off"

Is this really a patch we think we can push into PG 17. I am having my
doubts.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

Only you can decide what is important to you.