Re: Possibility to disable `ALTER SYSTEM`
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Alvaro Herrera <alvherre@alvh.no-ip.org>
Cc: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>,
Isaac Morland <isaac.morland@gmail.com>, pgsql-hackers@postgresql.org
Date: 2023-09-08T15:31:22Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Add allow_alter_system GUC.
- d3ae2a24f265 17.0 landed
-
Rename COMPAT_OPTIONS_CLIENT to COMPAT_OPTIONS_OTHER.
- de7e96bd0fc6 17.0 landed
-
Remove support for version-0 calling conventions.
- 5ded4bd21403 10.0 cited
Alvaro Herrera <alvherre@alvh.no-ip.org> writes: > I don't understand Tom's resistance to this request. It's false security. If you think you are going to prevent a superuser from messing with the system's configuration, you are going to need a lot more restrictions than this, and we'll be forever getting security reports that "hey, I found another way for a superuser to get filesystem access". I think the correct answer to this class of problems is "don't give superuser privileges to clients running inside the container". > I did not like the mention of COPY PROGRAM, though, and in principle I > do not support the idea of treating it the same way as ALTER SYSTEM. It's one of the easiest ways to modify postgresql.conf from SQL. If you don't block that off, the feature is certainly not secure. (But of course, there are more ways.) regards, tom lane