On Mon, Nov 2, 2015 at 3:41 PM, Stephen Frost <sfrost@snowman.net> wrote:
>> Two different methods of restricting ALTER SYSTEM have already been
>> discussed on this thread: one using file permissions, and the other
>> using ProcessUtility_hook. I personally think that's good enough.
>
> The issue which I have with these suggestions is that one requires users
> to install an as-yet-unwritten module and the other is to hack with
> permissions in the data directory. As we've all seen, people playing in
> $PGDATA is generally a bad idea.
Well, fair enough. I think somebody could write that module in about
an hour, though. All you have to do is latch onto ProcessUtility_hook
and throw an error if you've got yourself an AlterSystemStmt.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company