From d3ae2a24f265a028f4b9e8df79ea7b075c6cf016 Mon Sep 17 00:00:00 2001 From: Robert Haas Date: Fri, 29 Mar 2024 08:44:45 -0400 Subject: Add allow_alter_system GUC. This is marked PGC_SIGHUP, so it can only be set in a configuration file, not anywhere else; and it is also marked GUC_DISALLOW_IN_AUTO_FILE, so it can't be set using ALTER SYSTEM. When set to false, the ALTER SYSTEM command is disallowed. There was considerable concern that this would be misinterpreted as a security feature, which it is not, because a determined superuser has various ways of bypassing it. Hence, a lot of work has gone into wordsmithing the documentation, in the hopes of avoiding any such confusion. Jelte Fennemia-Nio and Gabriele Bartolini, with wording suggestions for the documentation from many others. Discussion: http://postgr.es/m/CA%2BVUV5rEKt2%2BCdC_KUaPoihMu%2Bi5ChT4WVNTr4CD5-xXZUfuQw%40mail.gmail.com --- doc/src/sgml/config.sgml | 51 +++++++++++++++++++++++++++++++++++++- doc/src/sgml/ref/alter_system.sgml | 8 ++++++ 2 files changed, 58 insertions(+), 1 deletion(-) (limited to 'doc/src') diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 5468637e2ef..f65c17e5ae4 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -199,7 +199,8 @@ shared_buffers = 128MB External tools may also modify postgresql.auto.conf. It is not - recommended to do this while the server is running, since a + recommended to do this while the server is running unless is set to off, since a concurrent ALTER SYSTEM command could overwrite such changes. Such tools might simply append new settings to the end, or they might choose to remove duplicate settings and/or comments @@ -10767,6 +10768,54 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir' + + allow_alter_system (boolean) + + allow_alter_system configuration parameter + + + + + When allow_alter_system is set to + off, an error is returned if the ALTER + SYSTEM command is executed. This parameter can only be set in + the postgresql.conf file or on the server command + line. The default value is on. + + + + Note that this setting must not be regarded as a security feature. It + only disables the ALTER SYSTEM command. It does not + prevent a superuser from changing the configuration using other SQL + commands. A superuser has many ways of executing shell commands at + the operating system level, and can therefore modify + postgresql.auto.conf regardless of the value of + this setting. + + + + Turning this setting off is intended for environments where the + configuration of PostgreSQL is managed by + some external tool. + In such environments, a well intentioned superuser might + mistakenly use ALTER SYSTEM + to change the configuration instead of using the external tool. + This might result in unintended behavior, such as the external tool + overwriting the change at some later point in time when it updates the + configuration. + Setting this parameter to off can + help avoid such mistakes. + + + + This parameter only controls the use of ALTER SYSTEM. + The settings stored in postgresql.auto.conf + take effect even if allow_alter_system is set to + off. + + + + diff --git a/doc/src/sgml/ref/alter_system.sgml b/doc/src/sgml/ref/alter_system.sgml index bea5714ba1a..1bde66d6ad2 100644 --- a/doc/src/sgml/ref/alter_system.sgml +++ b/doc/src/sgml/ref/alter_system.sgml @@ -104,6 +104,7 @@ ALTER SYSTEM RESET ALL This command can't be used to set , + , nor parameters that are not allowed in postgresql.conf (e.g., preset options). @@ -111,6 +112,13 @@ ALTER SYSTEM RESET ALL See for other ways to set the parameters. + + + ALTER SYSTEM can be disabled by setting + to off, but this + is not a security mechanism (as explained in detail in the documentation for + this parameter). + -- cgit v1.2.3