Re: Possibility to disable `ALTER SYSTEM`
David G. Johnston <david.g.johnston@gmail.com>
From: "David G. Johnston" <david.g.johnston@gmail.com>
To: Joel Jacobson <joel@compiler.org>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-02-07T13:34:06Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Add allow_alter_system GUC.
- d3ae2a24f265 17.0 landed
-
Rename COMPAT_OPTIONS_CLIENT to COMPAT_OPTIONS_OTHER.
- de7e96bd0fc6 17.0 landed
-
Remove support for version-0 calling conventions.
- 5ded4bd21403 10.0 cited
On Wednesday, February 7, 2024, Joel Jacobson <joel@compiler.org> wrote: > > On Fri, Sep 8, 2023, at 23:43, Magnus Hagander wrote: > > We need a "allowlist" of things a user can do, rather than a blocklist > > of "they can do everything they can possibly think of and a computer > > is capable of doing, except for this one specific thing". Blocklisting > > individual permissions of a superuser will never be secure. > > +1 for preferring an "allowlist" approach over a blocklist. > The status quo is allow everything so while the theory is nice it seems that requiring it to be allowlist is just going to scare anyone off of actually improving matters. Also, this isn’t necessarily about blocking the superuser, it is about effectively disabling features deemed undesirable at runtime. All features enabled by default seems like a valid policy. While the only features likely to be disabled are those involving someone’s definition of security the security policy is still that superuser can do everything the system is capable of doing. David J.