Re: Possibility to disable `ALTER SYSTEM`
Wolfgang Walther <walther@technowledgy.de>
From: walther@technowledgy.de
To: Greg Sabino Mullane <htamfids@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>
Cc: Jelte Fennema-Nio <postgres@jeltef.nl>,
Heikki Linnakangas <hlinnaka@iki.fi>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Daniel Gustafsson <daniel@yesql.se>, Bruce Momjian <bruce@momjian.us>,
Joel Jacobson <joel@compiler.org>, Andrew Dunstan <andrew@dunslane.net>,
Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>,
Magnus Hagander <magnus.hagander@redpill-linpro.com>,
Maciek Sakrejda <m.sakrejda@gmail.com>, Robert Haas <robertmhaas@gmail.com>
Date: 2024-03-19T20:53:46Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Add allow_alter_system GUC.
- d3ae2a24f265 17.0 landed
-
Rename COMPAT_OPTIONS_CLIENT to COMPAT_OPTIONS_OTHER.
- de7e96bd0fc6 17.0 landed
-
Remove support for version-0 calling conventions.
- 5ded4bd21403 10.0 cited
Greg Sabino Mullane: > On Tue, Mar 19, 2024 at 12:05 PM Tom Lane <tgl@sss.pgh.pa.us > <mailto:tgl@sss.pgh.pa.us>> wrote: > > If you aren't willing to build a solution that blocks off mods > using COPY TO FILE/PROGRAM and other readily-available-to-superusers > tools (plpythonu for instance), I think you shouldn't bother asking > for a feature at all. Just trust your superusers. > > > There is a huge gap between using a well-documented standard tool like > ALTER SYSTEM and going out of your way to modify the configuration files > through trickery. I think we need to only solve the former as in "hey, > please don't do that because your changes will be overwritten" Recap: The requested feature is not supposed to be a security feature. It is supposed to prevent the admin from accidentally doing the wrong thing - but not from willfully doing the same through different means. This very much sounds like a "warning" - how about turning the feature into one? Have a GUC warn_on_alter_system = "<message>", which allows the kubernetes operator to set it to something like "hey, please don't do that because your changes will be overwritten. Use xyz operator instead.". This will hardly be taken as a security feature by anyone, but should essentially achieve what is asked for. A more sophisticated way would be to make that GUC throw an error, but have a syntax for ALTER SYSTEM to override this - i.e. similar to a --force flag. Best, Wolfgang