Re: Possibility to disable `ALTER SYSTEM` - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Possibility to disable `ALTER SYSTEM`
Date
Msg-id 3879337.1710864320@sss.pgh.pa.us
Whole thread Raw
In response to Re: Possibility to disable `ALTER SYSTEM`  (Jelte Fennema-Nio <postgres@jeltef.nl>)
Responses Re: Possibility to disable `ALTER SYSTEM`
Re: Possibility to disable `ALTER SYSTEM`
List pgsql-hackers
Jelte Fennema-Nio <postgres@jeltef.nl> writes:
> On Tue, 19 Mar 2024 at 15:52, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> I like this idea.  The "bonus" is not optional though, because
>> setting the files' ownership/permissions is the only way to be
>> sure that the prohibition is even a little bit bulletproof.

> I don't agree with this. The only "normal" way of modifying
> postgresql.auto.conf from within postgres is using ALTER SYSTEM, so
> simply disabling ALTER SYSTEM seems enough to me.

I've said this repeatedly: it's not enough.  The only reason we need
any feature whatsoever is that somebody doesn't trust their database
superusers to not try to modify the configuration.  Given that
requirement, merely disabling ALTER SYSTEM isn't a solution, it's a
fig leaf that might fool incompetent auditors but no more.

If you aren't willing to build a solution that blocks off mods
using COPY TO FILE/PROGRAM and other readily-available-to-superusers
tools (plpythonu for instance), I think you shouldn't bother asking
for a feature at all.  Just trust your superusers.

            regards, tom lane



pgsql-hackers by date:

Previous
From: Michał Kłeczek
Date:
Subject: Re: DRAFT: Pass sk_attno to consistent function
Next
From: Peter Eisentraut
Date:
Subject: Re: Reducing output size of nodeToString