Re: Possibility to disable `ALTER SYSTEM`
David G. Johnston <david.g.johnston@gmail.com>
From: "David G. Johnston" <david.g.johnston@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Magnus Hagander <magnus@hagander.net>, Robert Haas <robertmhaas@gmail.com>, Martín Marqués <martin.marques@gmail.com>, Isaac Morland <isaac.morland@gmail.com>, Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2024-01-31T05:43:57Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Add allow_alter_system GUC.
- d3ae2a24f265 17.0 landed
-
Rename COMPAT_OPTIONS_CLIENT to COMPAT_OPTIONS_OTHER.
- de7e96bd0fc6 17.0 landed
-
Remove support for version-0 calling conventions.
- 5ded4bd21403 10.0 cited
On Tuesday, January 30, 2024, Tom Lane <tgl@sss.pgh.pa.us> wrote: > "David G. Johnston" <david.g.johnston@gmail.com> writes: > > On Tuesday, January 30, 2024, Tom Lane <tgl@sss.pgh.pa.us> wrote: > >> My larger point here is that trying to enforce restrictions on > >> superusers *within* Postgres is simply not a good plan, for > >> largely the same reasons that Robert questioned making the > >> GUC mechanism police itself. It needs to be done outside, > >> either at the filesystem level or via some other kernel-level > >> security system. > > > The idea of adding a file to the data directory appeals to me. > > > > optional_runtime_features.conf > > alter_system=enabled > > copy_from_program=enabled > > copy_to_program=disabled > > ... so, exactly what keeps an uncooperative superuser from > overwriting that file? > > You cannot enforce such restrictions within Postgres. > It has to be done by an outside mechanism. If you think > different, you are mistaken. > If the only user on the OS that can modify that file is root, how does the superuser, who is hard coded to not be root, modify it? The root/admin user on the OS and it’s filesystem permissions is the outside mechanism being suggested here. If the complaint is that the in-memory boolean is changeable by the superuser, or even the logic pertaining to the error branch of the code, then yes this is a lost cause. But root prevents superuser from controlling that file and then that file can prevent the superuser from escaping to the operating system and leveraging its OS postgres user. David J.