Re: Possibility to disable `ALTER SYSTEM`

Andrew Dunstan <andrew@dunslane.net>

From: Andrew Dunstan <andrew@dunslane.net>
To: Magnus Hagander <magnus@hagander.net>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Heikki Linnakangas <hlinnaka@iki.fi>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Jelte Fennema-Nio <postgres@jeltef.nl>, Daniel Gustafsson <daniel@yesql.se>, Bruce Momjian <bruce@momjian.us>, Joel Jacobson <joel@compiler.org>, Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>, Maciek Sakrejda <m.sakrejda@gmail.com>, Robert Haas <robertmhaas@gmail.com>
Date: 2024-03-19T22:24:47Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Add allow_alter_system GUC.

  2. Rename COMPAT_OPTIONS_CLIENT to COMPAT_OPTIONS_OTHER.

  3. Remove support for version-0 calling conventions.

On Tue, Mar 19, 2024 at 2:28 PM Magnus Hagander <magnus@hagander.net> wrote:

> On Tue, Mar 19, 2024 at 3:52 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> >
> > Heikki Linnakangas <hlinnaka@iki.fi> writes:
> > > Perhaps we could make that even better with a GUC though. I propose a
> > > GUC called 'configuration_managed_externally = true / false". If you
> set
> > > it to true, we prevent ALTER SYSTEM and make the error message more
> > > definitive:
> >
> > > postgres=# ALTER SYSTEM SET wal_level TO minimal;
> > > ERROR:  configuration is managed externally
> >
> > > As a bonus, if that GUC is set, we could even check at server startup
> > > that all the configuration files are not writable by the postgres user,
> > > and print a warning or refuse to start up if they are.
> >
> > I like this idea.  The "bonus" is not optional though, because
> > setting the files' ownership/permissions is the only way to be
> > sure that the prohibition is even a little bit bulletproof.
> >
> > One small issue: how do we make that work on Windows?  Have recent
> > versions grown anything that looks like real file permissions?
>
> Windows has had full ACL support since 1993. The  easiest way to do
> what you're doing here is to just set a DENY permission on the
> postgres operating system user.
>
>
>
>


Yeah. See <
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls>
for example.

cheers

andrew