Re: Possibility to disable `ALTER SYSTEM`
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Martín Marqués <martin.marques@gmail.com>, Isaac Morland <isaac.morland@gmail.com>, Magnus Hagander <magnus@hagander.net>, Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>, pgsql-hackers@postgresql.org
Date: 2024-01-30T21:48:03Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Add allow_alter_system GUC.
- d3ae2a24f265 17.0 landed
-
Rename COMPAT_OPTIONS_CLIENT to COMPAT_OPTIONS_OTHER.
- de7e96bd0fc6 17.0 landed
-
Remove support for version-0 calling conventions.
- 5ded4bd21403 10.0 cited
Robert Haas <robertmhaas@gmail.com> writes: > On Tue, Jan 30, 2024 at 2:20 PM Tom Lane <tgl@sss.pgh.pa.us> wrote: >> Indeed. I'd go so far as to say that we should reject not only this >> proposal, but any future ones that intend to prevent superusers from >> doing things that superusers normally could do (and, indeed, are >> normally expected to do). > Also in my opinion, there is a fair amount of nuance here. On the one > hand, I and others put a lot of work into making it possible to not > give people superuser and still be able to do a controlled subset of > the things that a superuser can do. Sure, and that is a line of thought that we should continue to pursue. But we already have enough mechanism to let a non-superuser set only the ALTER SYSTEM stuff she's authorized to. There is no reason to think that a non-superuser could break through that restriction at all, let alone easily. So that's an actual security feature, not security theater. I don't see how the feature proposed here isn't security theater, or at least close enough to that. >> Something like contrib/sepgsql would be a better mechanism, perhaps. > There's nothing wrong with that exactly, but what does it gain us over > my proposal of a sentinel file? I was imagining using selinux and/or sepgsql to directly prevent writing postgresql.auto.conf from the Postgres account. Combine that with a non-Postgres-owned postgresql.conf (already supported) and you have something that seems actually bulletproof, rather than a hint. Admittedly, using that approach requires knowing something about a non-Postgres security mechanism. regards, tom lane