On 2013-08-29 21:26:48 -0400, Stephen Frost wrote: > > Sure, you can construct a scenario where this matters. The ops guys > > have "sudo postgres pg_ctl" access but adminpack isn't installed and > > they have no other way to modify the configuration file. But that's > > just bizarre. And if that's really the environment you have, then you > > can install a loadable module that grabs ProcessUtility_hook and uses > > it to forbid ALTER SYSTEM on that machine. Hell, we can ship such a > > thing in contrib. Problem solved. But it's surely too obscure a > > combination of circumstances to justify disabling this by default. > > It's not the OPs guy that I'm worried about using ALTER SYSTEM- I don't > expect them to have any clue about it or care about it, except where it > can be used to modify things under /etc which they, rightfully, consider > their domain.
I think for the scenarios you describe it makes far, far much more sense to add the ability to easily monitor for two things: * on-disk configuration isn't the same as the currently loaded (not trivially possible yet) * Configuration variables only come from locations that are approved for in your scenario (Already possible, we might want to make it even easier) Greetings, Andres Freund -- Andres Freund http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (email@example.com) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers