Re: Possibility to disable `ALTER SYSTEM`

David G. Johnston <david.g.johnston@gmail.com>

From: "David G. Johnston" <david.g.johnston@gmail.com>
To: Joel Jacobson <joel@compiler.org>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-02-07T13:34:06Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Add allow_alter_system GUC.

  2. Rename COMPAT_OPTIONS_CLIENT to COMPAT_OPTIONS_OTHER.

  3. Remove support for version-0 calling conventions.

On Wednesday, February 7, 2024, Joel Jacobson <joel@compiler.org> wrote:

>
> On Fri, Sep 8, 2023, at 23:43, Magnus Hagander wrote:
> > We need a "allowlist" of things a user can do, rather than a blocklist
> > of "they can do everything they can possibly think of and a computer
> > is capable of doing, except for this one specific thing". Blocklisting
> > individual permissions of a superuser will never be secure.
>
> +1 for preferring an "allowlist" approach over a blocklist.
>

The status quo is allow everything so while the theory is nice it seems
that requiring it to be allowlist is just going to scare anyone off of
actually improving matters.

Also, this isn’t necessarily about blocking the superuser, it is about
effectively disabling features deemed undesirable at runtime.  All features
enabled by default seems like a valid policy.

While the only features likely to be disabled are those involving someone’s
definition of security the security policy is still that superuser can do
everything the system is capable of doing.

David J.