Re: Possibility to disable `ALTER SYSTEM`

On Fri, Mar 29, 2024 at 10:48 AM Bruce Momjian wrote: > On Fri, Mar 29, 2024 at 08:46:33AM -0400, Robert Haas wrote: > > On Thu, Mar 28, 2024 at 3:33 PM Bruce Momjian wrote: > > > I am fine with moving ahead. I thought my later emails explaining we > > > have to be careful communicated that. >

Re: Possibility to disable `ALTER SYSTEM`

On Fri, Mar 29, 2024 at 08:46:33AM -0400, Robert Haas wrote: > On Thu, Mar 28, 2024 at 3:33 PM Bruce Momjian wrote: > > I am fine with moving ahead. I thought my later emails explaining we > > have to be careful communicated that. > > OK. Thanks for clarifying. I've committed the patch with the

Re: Possibility to disable `ALTER SYSTEM`

On Thu, Mar 28, 2024 at 3:33 PM Bruce Momjian wrote: > I am fine with moving ahead. I thought my later emails explaining we > have to be careful communicated that. OK. Thanks for clarifying. I've committed the patch with the two wording changes that you suggested in your subsequent email. --

Re: Possibility to disable `ALTER SYSTEM`

On Thu, Mar 28, 2024 at 01:23:36PM +0100, Jelte Fennema-Nio wrote: > + > +Turning this setting off is intended for environments where the > +configuration of PostgreSQL is managed by > +some external tool. > +In such environments, a well intentioned superuser

Re: Possibility to disable `ALTER SYSTEM`

On Thu, Mar 28, 2024 at 02:43:38PM -0400, Robert Haas wrote: > How would you like to proceed from here? I think that in addressing > all of the comments given in the last few days, the documentation has > gotten modestly worse. I think it was crisp and clear before, and now > it feels a little ...

Re: Possibility to disable `ALTER SYSTEM`

On Thu, Mar 28, 2024 at 1:46 PM Bruce Momjian wrote: > The concern about this patch is not its contents but because it is our > first attempt at putting limits on the superuser for an external tool. > If done improperly, this could open a flood of problems, including CVE > and user confusion,

Re: Possibility to disable `ALTER SYSTEM`

On Thu, Mar 28, 2024 at 08:38:24AM -0400, Robert Haas wrote: > Let's please, please stop pretending like this patch is somehow > deserving of special scrutiny. There's barely even anything to > scrutinize. It's literally if (!variable) ereport(...) plus some > boilerplate and docs. I entirely

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 6:24 PM Bruce Momjian wrote: > Please ignore my complaints, and my apologies. > > As far as the GUC change, let's just be careful since we have a bad > history of pushing things near the end that we regret. I am not saying > that would be this feature, but let's be

Re: Possibility to disable `ALTER SYSTEM`

On Thu, 28 Mar 2024 at 12:57, Robert Haas wrote: > I disagree with a lot of these changes. I think the old version was > mostly better. But I can live with a lot of it if it makes other > people happy. I'd have been fine with many of the previous versions of the docs too. (I'm not a native

Re: Possibility to disable `ALTER SYSTEM`

On Thu, Mar 28, 2024 at 5:42 AM Jelte Fennema-Nio wrote: > On Thu, 28 Mar 2024 at 10:24, Jelte Fennema-Nio wrote: > > I addressed them all I think. Mostly the small changes that were > > suggested, but I rewrote the sentence with "might be discarded". And I > > added references to the new GUC in

Re: Possibility to disable `ALTER SYSTEM`

On Thu, 28 Mar 2024 at 10:24, Jelte Fennema-Nio wrote: > I addressed them all I think. Mostly the small changes that were > suggested, but I rewrote the sentence with "might be discarded". And I > added references to the new GUC in both places suggested by David. Changed the error hint to use

Re: Possibility to disable `ALTER SYSTEM`

On Thu, 28 Mar 2024 at 01:43, David G. Johnston wrote: > > On Wed, Mar 27, 2024 at 5:17 PM Bruce Momjian wrote: >> >> I addressed them all I think. Mostly the small changes that were suggested, but I rewrote the sentence with "might be discarded". And I added references to the new GUC in both

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 5:43 PM David G. Johnston < david.g.johns...@gmail.com> wrote: > > This section is also the main entry point for users into the configuration > subsystem and hasn't been updated to reflect this new feature. That seems > like an oversight that needs to be corrected. > >

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 5:17 PM Bruce Momjian wrote: > On Thu, Mar 28, 2024 at 12:43:29AM +0100, Jelte Fennema-Nio wrote: > > + xreflabel="allow_alter_system"> > > + allow_alter_system (boolean) > > + > > + allow_alter_system configuration > parameter > > + > > +

Re: Possibility to disable `ALTER SYSTEM`

On Thu, Mar 28, 2024 at 12:43:29AM +0100, Jelte Fennema-Nio wrote: > + xreflabel="allow_alter_system"> > + allow_alter_system (boolean) > + > + allow_alter_system configuration > parameter > + > + > + > + > +When allow_alter_system is set to

Re: Possibility to disable `ALTER SYSTEM`

On Thu, Mar 28, 2024 at 12:47:46AM +0100, Jelte Fennema-Nio wrote: > On Wed, 27 Mar 2024 at 23:06, Bruce Momjian wrote: > > > > > > +some outside mechanism. In such environments, using > > > > > > ALTER > > > > > > +SYSTEM to make configuration changes might > > > > > > appear

Re: Possibility to disable `ALTER SYSTEM`

On Wed, 27 Mar 2024 at 23:06, Bruce Momjian wrote: > > > > > +some outside mechanism. In such environments, using > > > > > ALTER > > > > > +SYSTEM to make configuration changes might appear > > > > > to work, > > > > > +but then may be discarded at some point in the

Re: Possibility to disable `ALTER SYSTEM`

On Wed, 27 Mar 2024 at 20:10, Maciek Sakrejda wrote: > > On Wed, Mar 27, 2024, 11:46 Robert Haas wrote: >> >> On Wed, Mar 27, 2024 at 1:12 PM Isaac Morland >> wrote: >> > On Wed, 27 Mar 2024 at 13:05, Greg Sabino Mullane >> > wrote: >> >>> The purpose of the setting is to prevent accidental

Re: Possibility to disable `ALTER SYSTEM`

On Wed, 27 Mar 2024 at 23:23, Bruce Momjian wrote: > > On Wed, Mar 27, 2024 at 11:10:31AM -0400, Robert Haas wrote: > > > Is this really a patch we think we can push into PG 17. I am having my > > > doubts. > > > > If the worst thing that happens in PG 17 is that we push a patch that > > needs a

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 03:20:38PM -0700, David G. Johnston wrote: > On Wed, Mar 27, 2024 at 3:18 PM David G. Johnston > wrote: > > On Wed, Mar 27, 2024 at 3:13 PM Bruce Momjian wrote: > > On Wed, Mar 27, 2024 at 06:09:02PM -0400, Bruce Momjian wrote: > > On Wed, Mar 27,

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 11:10:31AM -0400, Robert Haas wrote: > > Is this really a patch we think we can push into PG 17. I am having my > > doubts. > > If the worst thing that happens in PG 17 is that we push a patch that > needs a few documentation corrections, we're going to be doing >

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 3:18 PM David G. Johnston < david.g.johns...@gmail.com> wrote: > On Wed, Mar 27, 2024 at 3:13 PM Bruce Momjian wrote: > >> On Wed, Mar 27, 2024 at 06:09:02PM -0400, Bruce Momjian wrote: >> > On Wed, Mar 27, 2024 at 11:05:55AM -0400, Robert Haas wrote: >> > > On Wed, Mar

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 3:13 PM Bruce Momjian wrote: > On Wed, Mar 27, 2024 at 06:09:02PM -0400, Bruce Momjian wrote: > > On Wed, Mar 27, 2024 at 11:05:55AM -0400, Robert Haas wrote: > > > On Wed, Mar 27, 2024 at 10:43 AM Jelte Fennema-Nio > wrote: > > > > Alright, changed the GUC name to

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 06:09:02PM -0400, Bruce Momjian wrote: > On Wed, Mar 27, 2024 at 11:05:55AM -0400, Robert Haas wrote: > > On Wed, Mar 27, 2024 at 10:43 AM Jelte Fennema-Nio > > wrote: > > > Alright, changed the GUC name to "allow_alter_system" since that seems > > > to have the most

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 11:05:55AM -0400, Robert Haas wrote: > On Wed, Mar 27, 2024 at 10:43 AM Jelte Fennema-Nio wrote: > > Alright, changed the GUC name to "allow_alter_system" since that seems > > to have the most "votes". One other option would be to call it simply > > "alter_system", just

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 04:50:27PM +0100, Jelte Fennema-Nio wrote: > > This wording was suggested upthread. I think the point here is that if > > the superuser is logging in from the local machine, it's obvious that > > they can do whatever they want. The point is to emphasize that a > > superuser

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024, 11:46 Robert Haas wrote: > On Wed, Mar 27, 2024 at 1:12 PM Isaac Morland > wrote: > > On Wed, 27 Mar 2024 at 13:05, Greg Sabino Mullane > wrote: > >>> The purpose of the setting is to prevent > accidental modifications via ALTER > SYSTEM in environments where > >> The

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 1:12 PM Isaac Morland wrote: > On Wed, 27 Mar 2024 at 13:05, Greg Sabino Mullane wrote: >>> The purpose of the setting is to prevent accidental >>> modifications via ALTER SYSTEM in environments where >> The emphasis on 'accidental' seems a bit heavy here, and odd.

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 10:12 AM Isaac Morland wrote: > On Wed, 27 Mar 2024 at 13:05, Greg Sabino Mullane > wrote: > >> The purpose of the setting is to prevent accidental >>> modifications via ALTER SYSTEM in environments where >> >> >> The emphasis on 'accidental' seems a bit heavy here, and

Re: Possibility to disable `ALTER SYSTEM`

On Wed, 27 Mar 2024 at 13:05, Greg Sabino Mullane wrote: > The purpose of the setting is to prevent accidental >> modifications via ALTER SYSTEM in environments where > > > The emphasis on 'accidental' seems a bit heavy here, and odd. Surely, just > "to prevent modifications via ALTER SYSTEM in

Re: Possibility to disable `ALTER SYSTEM`

> > The purpose of the setting is to prevent accidental > modifications via ALTER SYSTEM in environments where The emphasis on 'accidental' seems a bit heavy here, and odd. Surely, just "to prevent modifications via ALTER SYSTEM in environments where..." is enough? Cheers, Greg

Re: Possibility to disable `ALTER SYSTEM`

On Wed, 27 Mar 2024 at 16:10, Robert Haas wrote: > > On Wed, Mar 27, 2024 at 11:01 AM Bruce Momjian wrote: > > Uh, the above is clearly wrong. I think you mean "off" on the second line. > > Woops. When the name changed from externally_managed_configuration to > allow_alter_system, the sense of

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 11:01 AM Bruce Momjian wrote: > Uh, the above is clearly wrong. I think you mean "off" on the second line. Woops. When the name changed from externally_managed_configuration to allow_alter_system, the sense of it was reversed, and I guess Jelte missed flipping the

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 10:43 AM Jelte Fennema-Nio wrote: > Alright, changed the GUC name to "allow_alter_system" since that seems > to have the most "votes". One other option would be to call it simply > "alter_system", just like "jit" is not called "allow_jit" or > "enable_jit". > > But

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 27, 2024 at 03:43:28PM +0100, Jelte Fennema-Nio wrote: > + > + > + > +When allow_alter_system is set to > +on, an error is returned if the ALTER > +SYSTEM command is used. This parameter can only be set in > +the postgresql.conf file

Re: Possibility to disable `ALTER SYSTEM`

On Wed, 27 Mar 2024 at 02:24, Andrew Dunstan wrote: > Agree. I don’t think “_command” adds much clarity. Alright, changed the GUC name to "allow_alter_system" since that seems to have the most "votes". One other option would be to call it simply "alter_system", just like "jit" is not called

Re: Possibility to disable `ALTER SYSTEM`

> On Mar 27, 2024, at 3:53 AM, Tom Lane wrote: > > Bruce Momjian writes: >> I am thinking "enable_alter_system_command" is probably good because we >> already use "enable" so why not reuse that idea, and I think "command" >> is needed because we need to clarify we are talking about the

Re: Possibility to disable `ALTER SYSTEM`

Bruce Momjian writes: > I am thinking "enable_alter_system_command" is probably good because we > already use "enable" so why not reuse that idea, and I think "command" > is needed because we need to clarify we are talking about the command, > and not generic altering of the system. We could use

Re: Possibility to disable `ALTER SYSTEM`

On Tue, Mar 26, 2024 at 10:23:51AM -0400, Tom Lane wrote: > Robert Haas writes: > > On Mon, Mar 25, 2024 at 5:04 PM Bruce Momjian wrote: > >> To me, externally_managed_configuration is promising a lot more than it > >> delivers because there is still a lot of ocnfiguration it doesn't > >>

Re: Possibility to disable `ALTER SYSTEM`

Robert Haas writes: > On Mon, Mar 25, 2024 at 5:04 PM Bruce Momjian wrote: >> To me, externally_managed_configuration is promising a lot more than it >> delivers because there is still a lot of ocnfiguration it doesn't >> control. I am also confused why the purpose of the feature, external >>

Re: Possibility to disable `ALTER SYSTEM`

On Tue, Mar 26, 2024 at 8:55 AM Abhijit Menon-Sen wrote: > Yes, "externally_managed_configuration" raises far more questions than > it answers. "enable_alter_system" is clearer in terms of what to expect > when you set it. "enable_alter_system_command" is rather long, but even > better in that it

Re: Possibility to disable `ALTER SYSTEM`

At 2024-03-26 08:11:33 -0400, robertmh...@gmail.com wrote: > > On Mon, Mar 25, 2024 at 5:04 PM Bruce Momjian wrote: > > > > Isn't "configuration" too generic a term for disabling ALTER SYSTEM? > > > > > > maybe "externally_managed_auto_config" > > > > How many people associate "auto" with ALTER

Re: Possibility to disable `ALTER SYSTEM`

> On 26 Mar 2024, at 13:11, Robert Haas wrote: > On Mon, Mar 25, 2024 at 5:04 PM Bruce Momjian wrote: >> To me, externally_managed_configuration is promising a lot more than it >> delivers because there is still a lot of ocnfiguration it doesn't >> control. I am also confused why the purpose

Re: Possibility to disable `ALTER SYSTEM`

On Mon, Mar 25, 2024 at 5:04 PM Bruce Momjian wrote: > > > Isn't "configuration" too generic a term for disabling ALTER SYSTEM? > > > > maybe "externally_managed_auto_config" > > How many people associate "auto" with ALTER SYSTEM? I assume not many. > > To me, externally_managed_configuration is

Re: Possibility to disable `ALTER SYSTEM`

On Mon, Mar 25, 2024 at 09:40:55PM +0100, Jelte Fennema-Nio wrote: > On Mon, 25 Mar 2024 at 20:16, Bruce Momjian wrote: > > I am wondering if the fact that you would be able to do: > > > > ALTER SYSTEM SET externally_managed_configuration = false > > > > and then be unable to use ALTER

Re: Possibility to disable `ALTER SYSTEM`

On Mon, 25 Mar 2024 at 20:16, Bruce Momjian wrote: > I am wondering if the fact that you would be able to do: > > ALTER SYSTEM SET externally_managed_configuration = false > > and then be unable to use ALTER SYSTEM to revert the change is > significant. This is not possible, due to the

Re: Possibility to disable `ALTER SYSTEM`

On Mon, Mar 25, 2024 at 01:29:46PM -0400, Robert Haas wrote: > What is less clear is whether there is a consensus in favor of this > particular method of disabling ALTER SYSTEM, namely, via a GUC. The > two alternate approaches that seem to enjoy some level of support are > (a) an extension or (b)

Re: Possibility to disable `ALTER SYSTEM`

On Mon, Mar 25, 2024 at 2:26 PM Tom Lane wrote: > I wonder whether this feature should include teaching the server > to ignore postgresql.auto.conf altogether, which would make it > relatively easy to get to a bulletproof configuration. This has been debated a few times on the thread already,

Re: Possibility to disable `ALTER SYSTEM`

On Mon, Mar 25, 2024 at 7:27 PM Tom Lane wrote: > Robert Haas writes: > > OK, great. The latest patch doesn't specifically talk about backing it > > up with filesystem-level controls, but it does clearly say that this > > feature is not going to stop a determined superuser from bypassing the >

Re: Possibility to disable `ALTER SYSTEM`

Robert Haas writes: > OK, great. The latest patch doesn't specifically talk about backing it > up with filesystem-level controls, but it does clearly say that this > feature is not going to stop a determined superuser from bypassing the > feature, which I think is the appropriate level of detail.

Re: Possibility to disable `ALTER SYSTEM`

On Mon, Mar 25, 2024 at 1:47 PM Tom Lane wrote: > FWIW, I never objected to the idea of being able to disable ALTER > SYSTEM. I felt that it ought to be part of a larger feature that > would provide a more bulletproof guarantee that a superuser can't > alter the system configuration; but I'm

Re: Possibility to disable `ALTER SYSTEM`

Robert Haas writes: > Since those are just minor points, that brings us to the question of > whether there is consensus to proceed with this. I believe that there > is a clear consensus that there should be some way to disable ALTER > SYSTEM. Sure, some people, particularly Tom, disagree, but I

Re: Possibility to disable `ALTER SYSTEM`

On Tue, Mar 19, 2024 at 9:13 AM Jelte Fennema-Nio wrote: > On Mon, 18 Mar 2024 at 18:27, Robert Haas wrote: > > I think for now we > > should just file this under "Other platforms and clients," which only > > has one existing setting. If the number of settings of this type > > grows, we can

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 20, 2024 at 10:31 PM Magnus Hagander wrote: > > On Wed, Mar 20, 2024 at 8:52 PM Robert Haas wrote: >> >> On Wed, Mar 20, 2024 at 3:17 PM Magnus Hagander wrote: >> > Right, what I meant is that making it a packaging decision is the better >> > place. Wherever it goes, allowing the

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 20, 2024 at 10:30 PM Magnus Hagander wrote: > Not really. The administrator can *already* do that. It's trivial. > > This patch is about doing it in a way that doesn't produce as ugly a > message.But if we're "delegating" it to packagers and "os administrators", > then the problem

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 20, 2024 at 8:52 PM Robert Haas wrote: > On Wed, Mar 20, 2024 at 3:17 PM Magnus Hagander > wrote: > > Right, what I meant is that making it a packaging decision is the better > place. Wherever it goes, allowing the administrator to choose what fits > them should be made possible. >

Re: Possibility to disable `ALTER SYSTEM`

On 3/20/24 22:30, Michael Banck wrote: On Tue, Mar 19, 2024 at 10:51:50AM -0400, Tom Lane wrote: Heikki Linnakangas writes: Perhaps we could make that even better with a GUC though. I propose a GUC called 'configuration_managed_externally = true / false". If you set it to true, we prevent

Re: Possibility to disable `ALTER SYSTEM`

Hi, On Wed, Mar 20, 2024 at 08:11:32PM +0100, Magnus Hagander wrote: > (And FWIW also already solved on debian-based platforms for example, > which but the main config files in /etc with postgres only having read > permissions on them JFTR - Debian/Ubuntu keep postgresql.conf under

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 20, 2024 at 3:17 PM Magnus Hagander wrote: > Right, what I meant is that making it a packaging decision is the better > place. Wherever it goes, allowing the administrator to choose what fits them > should be made possible. +1. Which is also the justification for this patch, when

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 20, 2024 at 8:14 PM Robert Haas wrote: > On Wed, Mar 20, 2024 at 3:11 PM Magnus Hagander > wrote: > > I would argue that having the default permissions not allow postgres to > edit it's own config files *except* for postgresql.auto.conf would be a > better default than what we have

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 20, 2024 at 3:11 PM Magnus Hagander wrote: > I would argue that having the default permissions not allow postgres to edit > it's own config files *except* for postgresql.auto.conf would be a better > default than what we have now, but that's completely independent of the patch >

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 20, 2024 at 8:04 PM Robert Haas wrote: > On Wed, Mar 20, 2024 at 11:07 AM Jelte Fennema-Nio > wrote: > > > Ugh, please let's not do this. This was bouncing around in my head > last night, and this is really a quite radical change - especially just to > handle the given ask, which is

Re: Possibility to disable `ALTER SYSTEM`

On Wed, Mar 20, 2024 at 11:07 AM Jelte Fennema-Nio wrote: > > Ugh, please let's not do this. This was bouncing around in my head last > > night, and this is really a quite radical change - especially just to > > handle the given ask, which is to prevent a specific command from running. > > Not

Re: Possibility to disable `ALTER SYSTEM`

On Wed, 20 Mar 2024 at 14:04, Greg Sabino Mullane wrote: >> >> As a bonus, if that GUC is set, we could even check at server startup that >> all the configuration files are not writable by the postgres user, >> and print a warning or refuse to start up if they are. > > > Ugh, please let's not do

Re: Possibility to disable `ALTER SYSTEM`

> > As a bonus, if that GUC is set, we could even check at server startup that > all the configuration files are not writable by the postgres user, > and print a warning or refuse to start up if they are. > Ugh, please let's not do this. This was bouncing around in my head last night, and this is

Re: Possibility to disable `ALTER SYSTEM`

Hi, On Tue, Mar 19, 2024 at 10:51:50AM -0400, Tom Lane wrote: > Heikki Linnakangas writes: > > Perhaps we could make that even better with a GUC though. I propose a > > GUC called 'configuration_managed_externally = true / false". If you set > > it to true, we prevent ALTER SYSTEM and make the

Re: Possibility to disable `ALTER SYSTEM`

Andrew Dunstan writes: > On Tue, Mar 19, 2024 at 2:28 PM Magnus Hagander wrote: >> Windows has had full ACL support since 1993. The easiest way to do >> what you're doing here is to just set a DENY permission on the >> postgres operating system user. > Yeah. See < >

Re: Possibility to disable `ALTER SYSTEM`

On Tue, Mar 19, 2024 at 2:28 PM Magnus Hagander wrote: > On Tue, Mar 19, 2024 at 3:52 PM Tom Lane wrote: > > > > Heikki Linnakangas writes: > > > Perhaps we could make that even better with a GUC though. I propose a > > > GUC called 'configuration_managed_externally = true / false". If you >

Re: Possibility to disable `ALTER SYSTEM`

Greg Sabino Mullane: On Tue, Mar 19, 2024 at 12:05 PM Tom Lane > wrote: If you aren't willing to build a solution that blocks off mods using COPY TO FILE/PROGRAM and other readily-available-to-superusers tools (plpythonu for instance), I think you

Re: Possibility to disable `ALTER SYSTEM`

> On 19 Mar 2024, at 15:51, Tom Lane wrote: > > Heikki Linnakangas writes: >> Perhaps we could make that even better with a GUC though. I propose a >> GUC called 'configuration_managed_externally = true / false". If you set >> it to true, we prevent ALTER SYSTEM and make the error message

Re: Possibility to disable `ALTER SYSTEM`

On Tue, Mar 19, 2024 at 3:52 PM Tom Lane wrote: > > Heikki Linnakangas writes: > > Perhaps we could make that even better with a GUC though. I propose a > > GUC called 'configuration_managed_externally = true / false". If you set > > it to true, we prevent ALTER SYSTEM and make the error message

Re: Possibility to disable `ALTER SYSTEM`

> On 19 Mar 2024, at 17:53, Jelte Fennema-Nio wrote: > > On Tue, 19 Mar 2024 at 17:05, Tom Lane wrote: >> I've said this repeatedly: it's not enough. The only reason we need >> any feature whatsoever is that somebody doesn't trust their database >> superusers to not try to modify the

Re: Possibility to disable `ALTER SYSTEM`

On Tue, Mar 19, 2024 at 12:05 PM Tom Lane wrote: > If you aren't willing to build a solution that blocks off mods > using COPY TO FILE/PROGRAM and other readily-available-to-superusers > tools (plpythonu for instance), I think you shouldn't bother asking > for a feature at all. Just trust your

Re: Possibility to disable `ALTER SYSTEM`

On Tue, 19 Mar 2024 at 17:05, Tom Lane wrote: > I've said this repeatedly: it's not enough. The only reason we need > any feature whatsoever is that somebody doesn't trust their database > superusers to not try to modify the configuration. And as everyone else on this thread has said: It is

Re: Possibility to disable `ALTER SYSTEM`

Jelte Fennema-Nio writes: > On Tue, 19 Mar 2024 at 15:52, Tom Lane wrote: >> I like this idea. The "bonus" is not optional though, because >> setting the files' ownership/permissions is the only way to be >> sure that the prohibition is even a little bit bulletproof. > I don't agree with this.

Re: Possibility to disable `ALTER SYSTEM`

On Tue, 19 Mar 2024 at 15:52, Tom Lane wrote: > I like this idea. The "bonus" is not optional though, because > setting the files' ownership/permissions is the only way to be > sure that the prohibition is even a little bit bulletproof. I don't agree with this. The only "normal" way of

Re: Possibility to disable `ALTER SYSTEM`

Heikki Linnakangas writes: > Perhaps we could make that even better with a GUC though. I propose a > GUC called 'configuration_managed_externally = true / false". If you set > it to true, we prevent ALTER SYSTEM and make the error message more > definitive: > postgres=# ALTER SYSTEM SET

Re: Possibility to disable `ALTER SYSTEM`

On 3/19/24 07:49, Andrew Dunstan wrote: On Tue, Mar 19, 2024 at 5:26 AM Heikki Linnakangas > wrote: I want to remind everyone of this from Gabriele's first message that started this thread: > At the moment, a possible workaround is that `ALTER SYSTEM`

Re: Possibility to disable `ALTER SYSTEM`

On Mon, 18 Mar 2024 at 18:27, Robert Haas wrote: > I think for now we > should just file this under "Other platforms and clients," which only > has one existing setting. If the number of settings of this type > grows, we can split it out. Done. I also included a patch to rename

Re: Possibility to disable `ALTER SYSTEM`

On Tue, Mar 19, 2024 at 5:26 AM Heikki Linnakangas wrote: > I want to remind everyone of this from Gabriele's first message that > started this thread: > > > At the moment, a possible workaround is that `ALTER SYSTEM` can be > blocked > > by making the postgresql.auto.conf read only, but the

Re: Possibility to disable `ALTER SYSTEM`

I want to remind everyone of this from Gabriele's first message that started this thread: At the moment, a possible workaround is that `ALTER SYSTEM` can be blocked by making the postgresql.auto.conf read only, but the returned message is misleading and that’s certainly bad user experience

Re: Possibility to disable `ALTER SYSTEM`

Going to agree with Robert Treat here about an extension being a great solution. I resisted posting earlier as I wanted to see how this all pans out, but I wrote a quick little POC extension some months ago that does the disabling and works well (and cannot be easily worked around). On Mon, Mar

Re: Possibility to disable `ALTER SYSTEM`

On Mon, Mar 18, 2024 at 4:07 PM Robert Treat wrote: > You know it's funny, you say #4 has no advantage and should be > rejected outright, but AFAICT > > a) no one has actually laid out why it wouldn't work for them, > b) and it's the one solution that can be implemented now > c) and that

Re: Possibility to disable `ALTER SYSTEM`

On Thu, Mar 14, 2024 at 12:37 PM Robert Haas wrote: > > On Tue, Feb 13, 2024 at 2:05 AM Joel Jacobson wrote: > > > Wouldn't having system wide EVTs be a generic solution which could be the > > > infrastructure for this requested change as well as others in the same > > > area? > > > > +1 > > >

Re: Possibility to disable `ALTER SYSTEM`

On Mon, Mar 18, 2024 at 10:27 AM Robert Haas wrote: > Right, we're adding this because of environments like Kubernetes, > which isn't a version, but it is a platform, or at least a deployment > mode, which is why I thought of that section. I think for now we > should just file this under "Other

Re: Possibility to disable `ALTER SYSTEM`

On Mon, Mar 18, 2024 at 12:19 PM Maciek Sakrejda wrote: > +1 on Version and Platform Compatibility. Maybe it just needs a new > subsection there? This is for compatibility with a "deployment > platform". The "Platform and Client Compatibility" subsection has just > one entry, so a new subsection

Re: Possibility to disable `ALTER SYSTEM`

On Mon, Mar 18, 2024 at 11:46 AM Magnus Hagander wrote: > > Wouldn't that break pgBackrest which IIRC write to .auto.conf directly > > without using ALTER SYSTEM? > > Ugh of course. And not only that, it would also break pg_basebackup > which does the same. > > So I guess that's not a good idea.

Re: Possibility to disable `ALTER SYSTEM`

On Mon, Mar 18, 2024 at 7:12 AM Jelte Fennema-Nio wrote: > > On Mon, 18 Mar 2024 at 13:57, Robert Haas wrote: > > I would have been somewhat inclined to find an existing section > > of postgresql.auto.conf for this parameter, perhaps "platform and > > version compatibility". > > I tried to find

Re: Possibility to disable `ALTER SYSTEM`

On Mon, Mar 18, 2024 at 4:44 PM Daniel Gustafsson wrote: > > > On 18 Mar 2024, at 16:34, Magnus Hagander wrote: > > > > On Mon, Mar 18, 2024 at 2:09 PM Daniel Gustafsson wrote: > >> > >>> On 18 Mar 2024, at 13:57, Robert Haas wrote: > >> > >>> my proposal is something like this, taking a > >>>

Re: Possibility to disable `ALTER SYSTEM`

> On 18 Mar 2024, at 16:34, Magnus Hagander wrote: > > On Mon, Mar 18, 2024 at 2:09 PM Daniel Gustafsson wrote: >> >>> On 18 Mar 2024, at 13:57, Robert Haas wrote: >> >>> my proposal is something like this, taking a >>> bunch of text from Jelte's patch and some inspiration from Magnus's >>>

Re: Possibility to disable `ALTER SYSTEM`

On Mon, Mar 18, 2024 at 2:09 PM Daniel Gustafsson wrote: > > > On 18 Mar 2024, at 13:57, Robert Haas wrote: > > > my proposal is something like this, taking a > > bunch of text from Jelte's patch and some inspiration from Magnus's > > earlier remarks: > > I still think any wording should clearly

Re: Possibility to disable `ALTER SYSTEM`

On Mon, 18 Mar 2024 at 13:57, Robert Haas wrote: > I would have been somewhat inclined to find an existing section > of postgresql.auto.conf for this parameter, perhaps "platform and > version compatibility". I tried to find an existing section, but I couldn't find any that this new GUC would

Re: Possibility to disable `ALTER SYSTEM`

> On 18 Mar 2024, at 13:57, Robert Haas wrote: > my proposal is something like this, taking a > bunch of text from Jelte's patch and some inspiration from Magnus's > earlier remarks: I still think any wording should clearly mention that settings in the file are still applied. The proposed

Re: Possibility to disable `ALTER SYSTEM`

On Fri, Mar 15, 2024 at 7:09 AM Jelte Fennema-Nio wrote: > On Fri, 15 Mar 2024 at 11:08, Daniel Gustafsson wrote: > > Another quirk for the documentation of this: if I disable ALTER SYSTEM I > > would > > assume that postgresql.auto.conf is no longer consumed, but it still is (and > > still

Re: Possibility to disable `ALTER SYSTEM`

On Fri, 15 Mar 2024 at 11:08, Daniel Gustafsson wrote: > Another quirk for the documentation of this: if I disable ALTER SYSTEM I would > assume that postgresql.auto.conf is no longer consumed, but it still is (and > still need to be), so maybe "enable/disable" is the wrong choice of words?

Re: Possibility to disable `ALTER SYSTEM`

> On 15 Mar 2024, at 03:58, Bruce Momjian wrote: > > On Thu, Mar 14, 2024 at 07:43:15PM -0400, Robert Haas wrote: >> On Thu, Mar 14, 2024 at 5:15 PM Maciek Sakrejda wrote: >>> It's not a security feature: it's a usability feature. >>> >>> It's a usability feature because, when Postgres

Re: Possibility to disable `ALTER SYSTEM`

On Thu, 14 Mar 2024 at 22:15, Maciek Sakrejda wrote: > In this case, the end user with access to Postgres superuser > privileges presumably also has access to the outside configuration > mechanism. The goal is not to prevent them from changing settings, but > to offer guard rails that prevent

Re: Possibility to disable `ALTER SYSTEM`

On Thu, Mar 14, 2024 at 07:43:15PM -0400, Robert Haas wrote: > On Thu, Mar 14, 2024 at 5:15 PM Maciek Sakrejda wrote: > > It's not a security feature: it's a usability feature. > > > > It's a usability feature because, when Postgres configuration is > > managed by an outside mechanism (e.g., as

Re: Possibility to disable `ALTER SYSTEM`

On Thu, Mar 14, 2024 at 5:15 PM Maciek Sakrejda wrote: > It's not a security feature: it's a usability feature. > > It's a usability feature because, when Postgres configuration is > managed by an outside mechanism (e.g., as in a Kubernetes > environment), ALTER SYSTEM currently allows a

Re: Possibility to disable `ALTER SYSTEM`

On Thu, Mar 14, 2024 at 1:38 PM Robert Haas wrote: > On Thu, Mar 14, 2024 at 4:08 PM Tom Lane wrote: > > The patch-of-record contains no such wording. > > I plan to fix that, if nobody else beats me to it. > > > And if this isn't a > > security feature, then what is it? If you have to say to

  1   2   >