On 2013-08-29 21:26:48 -0400, Stephen Frost wrote:
> > Sure, you can construct a scenario where this matters. The ops guys
> > have "sudo postgres pg_ctl" access but adminpack isn't installed and
> > they have no other way to modify the configuration file. But that's
> > just bizarre. And if that's really the environment you have, then you
> > can install a loadable module that grabs ProcessUtility_hook and uses
> > it to forbid ALTER SYSTEM on that machine. Hell, we can ship such a
> > thing in contrib. Problem solved. But it's surely too obscure a
> > combination of circumstances to justify disabling this by default.
>
> It's not the OPs guy that I'm worried about using ALTER SYSTEM- I don't
> expect them to have any clue about it or care about it, except where it
> can be used to modify things under /etc which they, rightfully, consider
> their domain.
I think for the scenarios you describe it makes far, far much more sense
to add the ability to easily monitor for two things:
* on-disk configuration isn't the same as the currently loaded (not trivially possible yet)
* Configuration variables only come from locations that are approved for in your scenario (Already possible, we might
wantto make it even easier)
Greetings,
Andres Freund
-- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services