Stephen Frost <> writes:
> * Andres Freund ( wrote:
>> You can just revoke permissions on the file if necessary. Results in the
>> expected
>> ERROR:  XX000: could not open file "../": Permission 
>> denied

> Yes, I know, but that's a really grotty way of offering a way to disable
> ALTER SYSTEM.  It's also not exactly intuitive to someone reading the
> release notes or working on upgrading their existing postgresql.conf.

While I won't stand in the way if someone is dead set on providing a
disable switch for ALTER SYSTEM, I fail to see the point of one.  It's
a superuser-only feature to begin with, and if you are handing out
superuser on production-critical installations to people you don't trust
completely, you need to have your head examined.

As a directly comparable example, I note that you yourself were in favor
of getting rid of rolcatupdate, which was the only mechanism we ever had
that could prevent a superuser from destroying the catalogs entirely
with a mistyped update --- consider "DELETE FROM pg_proc", for example,
which unlike ALTER SYSTEM there is simply no way to recover from.

How is it that we don't need rolcatupdate but we do need a way to shut
off ALTER SYSTEM?  Doesn't compute, IMO.

                        regards, tom lane

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to