Re: Possibility to disable `ALTER SYSTEM`
Isaac Morland <isaac.morland@gmail.com>
From: Isaac Morland <isaac.morland@gmail.com>
To: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-hackers@postgresql.org
Date: 2023-09-08T14:11:30Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Add allow_alter_system GUC.
- d3ae2a24f265 17.0 landed
-
Rename COMPAT_OPTIONS_CLIENT to COMPAT_OPTIONS_OTHER.
- de7e96bd0fc6 17.0 landed
-
Remove support for version-0 calling conventions.
- 5ded4bd21403 10.0 cited
On Fri, 8 Sept 2023 at 10:03, Gabriele Bartolini < gabriele.bartolini@enterprisedb.com> wrote: > ALTER SYSTEM is already heavily restricted. > > > Could you please help me better understand what you mean here? > > >> I don't think we need random kluges added to the permissions system. > > > If you allow me, why do you think disabling ALTER SYSTEM altogether is a > random kluge? Again, I'd like to better understand this position. I've > personally been in many conversations on the security side of things for > Postgres in Kubernetes environments, and this is a frequent concern by > users who request that changes to the Postgres system (not a database) > should only be done declaratively and prevented from within the system. > Alternate idea, not sure how good this is: Use existing OS security features (regular permissions, or more modern features such as the immutable attribute) to mark the postgresql.auto.conf file as not being writeable. Then any attempt to ALTER SYSTEM should result in an error.