* Robert Haas (robertmh...@gmail.com) wrote: > On Thu, Jan 5, 2017 at 11:56 AM, Stephen Frost <sfr...@snowman.net> wrote: > >> One thing I'm kind of happy about is that, as far as I can see, there > >> hasn't been much backlash against the existing ALTER SYSTEM, either > >> from a security point of view or a user-confusion point of view. > > > > I've seen complaints about it and have seen people changing the > > permissions to be root/root on the .auto.conf file to disallow 'regular' > > superusers from doing ALTER SYSTEM. It's not exactly elegant but it's a > > way to avoid the risk of someone messing with the system config without > > going through the CM system. > > Hmm, OK. They're not bothered by ALTER DATABASE the_one_everybody_uses?
Generally speaking, an ALTER DATABASE is unlikely to make the cluster fail to start. To be clear, I've only seen 1 or 2 cases and I'm not sure if, in those cases, they even fully understood how much can be changed through ALTER DATABASE or ALTER ROLE. My goal in those cases (and others where I come across installations with a lot of superusers) is typically to try and educate them as to just how close a superuser is to the unix user and recommend that they reconsider how they handle access privileges in the system (in particular, to try and get them to not have so many superusers and instead use other ways to give people access to what they need). Of course, that tends to lead into things like "well, how do I make sure that user X has read rights on every table, always" or "how do I give someone the ability to terminate runaway queries that another user started." We've made progress there, but there's more to do still. Thanks! Stephen
Description: Digital signature