* Robert Haas (robertmhaas@gmail.com) wrote:
> On Thu, Jan 5, 2017 at 11:56 AM, Stephen Frost <sfrost@snowman.net> wrote:
> >> One thing I'm kind of happy about is that, as far as I can see, there
> >> hasn't been much backlash against the existing ALTER SYSTEM, either
> >> from a security point of view or a user-confusion point of view.
> >
> > I've seen complaints about it and have seen people changing the
> > permissions to be root/root on the .auto.conf file to disallow 'regular'
> > superusers from doing ALTER SYSTEM. It's not exactly elegant but it's a
> > way to avoid the risk of someone messing with the system config without
> > going through the CM system.
>
> Hmm, OK. They're not bothered by ALTER DATABASE the_one_everybody_uses?
Generally speaking, an ALTER DATABASE is unlikely to make the cluster
fail to start. To be clear, I've only seen 1 or 2 cases and I'm not
sure if, in those cases, they even fully understood how much can be
changed through ALTER DATABASE or ALTER ROLE.
My goal in those cases (and others where I come across installations
with a lot of superusers) is typically to try and educate them as to
just how close a superuser is to the unix user and recommend that they
reconsider how they handle access privileges in the system (in
particular, to try and get them to not have so many superusers and
instead use other ways to give people access to what they need).
Of course, that tends to lead into things like "well, how do I make sure
that user X has read rights on every table, always" or "how do I give
someone the ability to terminate runaway queries that another user
started." We've made progress there, but there's more to do still.
Thanks!
Stephen
