Stephen Frost <sfrost@snowman.net> writes:
> * Andres Freund (andres@anarazel.de) wrote:
>> You can just revoke permissions on the file if necessary. Results in the
>> expected
>> ERROR: XX000: could not open file "../postgresql.auto.conf": Permission denied
> Yes, I know, but that's a really grotty way of offering a way to disable
> ALTER SYSTEM. It's also not exactly intuitive to someone reading the
> release notes or working on upgrading their existing postgresql.conf.
While I won't stand in the way if someone is dead set on providing a
disable switch for ALTER SYSTEM, I fail to see the point of one. It's
a superuser-only feature to begin with, and if you are handing out
superuser on production-critical installations to people you don't trust
completely, you need to have your head examined.
As a directly comparable example, I note that you yourself were in favor
of getting rid of rolcatupdate, which was the only mechanism we ever had
that could prevent a superuser from destroying the catalogs entirely
with a mistyped update --- consider "DELETE FROM pg_proc", for example,
which unlike ALTER SYSTEM there is simply no way to recover from.
How is it that we don't need rolcatupdate but we do need a way to shut
off ALTER SYSTEM? Doesn't compute, IMO.
regards, tom lane