Re: Possibility to disable `ALTER SYSTEM` - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Possibility to disable `ALTER SYSTEM`
Date
Msg-id 2372973.1710446903@sss.pgh.pa.us
Whole thread Raw
In response to Re: Possibility to disable `ALTER SYSTEM`  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: Possibility to disable `ALTER SYSTEM`
List pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes:
> On Thu, Mar 14, 2024 at 3:13 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> With the possible exception of #1, every one of these is easily
>> defeatable by an uncooperative superuser.  I'm not excited about
>> adding a "security" feature with such obvious holes in it.

> We're going to document that it's not a security feature along the
> lines of what Magnus suggested in
> http://postgr.es/m/CABUevEx9m=CV8=WpXVW+rtVVs858kDJ6YpRkExV7n+F6MK05CQ@mail.gmail.com

The patch-of-record contains no such wording.  And if this isn't a
security feature, then what is it?  If you have to say to your
(super) users "please don't mess with the system configuration",
you might as well just trust them not to do it the easy way as not
to do it the hard way.  If they're untrustworthy, why have they
got superuser?

What I think this is is a loaded foot-gun painted in kid-friendly
colors.  People will use it and then file CVEs about how it did
not turn out to be as secure as they imagined (probably without
reading the documentation).

            regards, tom lane



pgsql-hackers by date:

Previous
From: Melanie Plageman
Date:
Subject: Re: Parallel Bitmap Heap Scan reports per-worker stats in EXPLAIN ANALYZE
Next
From: Thomas Munro
Date:
Subject: Re: Recent 027_streaming_regress.pl hangs