Re: Possibility to disable `ALTER SYSTEM`
Joel Jacobson <joel@compiler.org>
From: "Joel Jacobson" <joel@compiler.org>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-02-07T08:56:58Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Add allow_alter_system GUC.
- d3ae2a24f265 17.0 landed
-
Rename COMPAT_OPTIONS_CLIENT to COMPAT_OPTIONS_OTHER.
- de7e96bd0fc6 17.0 landed
-
Remove support for version-0 calling conventions.
- 5ded4bd21403 10.0 cited
On Fri, Sep 8, 2023, at 16:17, Gabriele Bartolini wrote: > ``` > postgres=# ALTER SYSTEM SET wal_level TO minimal; > ERROR: could not open file "postgresql.auto.conf": Permission denied > ``` +1 to simply mark postgresql.auto.conf file as not being writeable. To improve the UX experience, how about first checking if the file is not writeable, or catch EACCESS, and add a user-friendly hint? ``` postgres=# ALTER SYSTEM SET wal_level TO minimal; ERROR: could not open file "postgresql.auto.conf": Permission denied HINT: The ALTER SYSTEM command is effectively disabled as the configuration file is set to read-only. ``` On Fri, Sep 8, 2023, at 23:43, Magnus Hagander wrote: > We need a "allowlist" of things a user can do, rather than a blocklist > of "they can do everything they can possibly think of and a computer > is capable of doing, except for this one specific thing". Blocklisting > individual permissions of a superuser will never be secure. +1 for preferring an "allowlist" approach over a blocklist. In a way, I think this is similar to the project's philosophy on Query Hints, which I strongly support as I think it leads to a better PostgreSQL over the long term. It creates a crucial feedback loop between users facing query planner issues and our developer community, providing essential insights for enhancing the Query Planner. If users were to simply apply Query Hints as a quick fix instead of reporting underlying problems, we would often lose these valuable opportunities for improvement of the Query Planner. Similarly, I think it's crucial to identify functionalities that currently require superuser privileges and cannot yet be explicitly granted to non-superusers. /Joel