Home > mailing lists

Re: Possibility to disable `ALTER SYSTEM` - Mailing list pgsql-hackers

From	Magnus Hagander
Subject	Re: Possibility to disable `ALTER SYSTEM`
Date	January 31 00:58:56
Msg-id	CABUevEyYsuFUDUFW9=M4w3EbsxY9xfKXAxPPWRER9KRr0mEb1A@mail.gmail.com Whole thread Raw
In response to	Re: Possibility to disable `ALTER SYSTEM` (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: Possibility to disable `ALTER SYSTEM`
List	pgsql-hackers

Tree view

On Tue, Jan 30, 2024 at 10:48 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Robert Haas <robertmhaas@gmail.com> writes:
> > There's nothing wrong with that exactly, but what does it gain us over
> > my proposal of a sentinel file?
>
> I was imagining using selinux and/or sepgsql to directly prevent
> writing postgresql.auto.conf from the Postgres account.  Combine that
> with a non-Postgres-owned postgresql.conf (already supported) and you
> have something that seems actually bulletproof, rather than a hint.
> Admittedly, using that approach requires knowing something about a
> non-Postgres security mechanism.

Wouldn't a simple "chattr +i postgresql.auto.conf" work?

--
 Magnus Hagander
 Me: https://www.hagander.net/
 Work: https://www.redpill-linpro.com/

pgsql-hackers by date:

From: Andres Freund
Date: 31 January, 00:58:12
Subject: Re: Fix some ubsan/asan related issues

From: Andrew Dunstan
Date: 31 January, 01:18:49
Subject: Re: 003_extrafiles.pl test fails on Windows with the newer Perl versions

Re: Possibility to disable `ALTER SYSTEM` - Mailing list pgsql-hackers

Previous

Next