Re: Possibility to disable `ALTER SYSTEM`
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Joel Jacobson <joel@compiler.org>, Andrew Dunstan <andrew@dunslane.net>,
Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>,
Magnus Hagander <magnus.hagander@redpill-linpro.com>,
"daniel@yesql.se" <daniel@yesql.se>
Date: 2024-03-14T20:08:23Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Add allow_alter_system GUC.
- d3ae2a24f265 17.0 landed
-
Rename COMPAT_OPTIONS_CLIENT to COMPAT_OPTIONS_OTHER.
- de7e96bd0fc6 17.0 landed
-
Remove support for version-0 calling conventions.
- 5ded4bd21403 10.0 cited
Robert Haas <robertmhaas@gmail.com> writes: > On Thu, Mar 14, 2024 at 3:13 PM Tom Lane <tgl@sss.pgh.pa.us> wrote: >> With the possible exception of #1, every one of these is easily >> defeatable by an uncooperative superuser. I'm not excited about >> adding a "security" feature with such obvious holes in it. > We're going to document that it's not a security feature along the > lines of what Magnus suggested in > http://postgr.es/m/CABUevEx9m=CV8=WpXVW+rtVVs858kDJ6YpRkExV7n+F6MK05CQ@mail.gmail.com The patch-of-record contains no such wording. And if this isn't a security feature, then what is it? If you have to say to your (super) users "please don't mess with the system configuration", you might as well just trust them not to do it the easy way as not to do it the hard way. If they're untrustworthy, why have they got superuser? What I think this is is a loaded foot-gun painted in kid-friendly colors. People will use it and then file CVEs about how it did not turn out to be as secure as they imagined (probably without reading the documentation). regards, tom lane