Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qeLb0-006Yge-0D for pgsql-hackers@arkaria.postgresql.org; Thu, 07 Sep 2023 20:27:22 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qeLay-004bTX-PF for pgsql-hackers@arkaria.postgresql.org; Thu, 07 Sep 2023 20:27:20 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qeLay-004bTM-EO for pgsql-hackers@lists.postgresql.org; Thu, 07 Sep 2023 20:27:20 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qeLav-003JL2-Ch for pgsql-hackers@postgresql.org; Thu, 07 Sep 2023 20:27:19 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 387KRExZ1756007; Thu, 7 Sep 2023 16:27:14 -0400 From: Tom Lane To: Gabriele Bartolini cc: pgsql-hackers@postgresql.org Subject: Re: Possibility to disable `ALTER SYSTEM` In-reply-to: References: Comments: In-reply-to Gabriele Bartolini message dated "Thu, 07 Sep 2023 21:51:14 +0200" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1756005.1694118434.1@sss.pgh.pa.us> Date: Thu, 07 Sep 2023 16:27:14 -0400 Message-ID: <1756006.1694118434@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Gabriele Bartolini writes: > I would like to propose a patch that allows administrators to disable > `ALTER SYSTEM` via either a runt-time option to pass to the Postgres server > process at startup (e.g. `--disable-alter-system=true`, false by default) > or a new GUC (or even both), without changing the current default method of > the server. ALTER SYSTEM is already heavily restricted. I don't think we need random kluges added to the permissions system. I especially don't believe in kluges to the effect of "superuser doesn't have all permissions anymore". If you nonetheless feel that that's a good idea for your use case, you can implement the restriction with an event trigger or the like. regards, tom lane