diff options
| author | Robert Haas <rhaas@postgresql.org> | 2024-03-29 08:44:45 -0400 |
|---|---|---|
| committer | Robert Haas <rhaas@postgresql.org> | 2024-03-29 08:45:11 -0400 |
| commit | d3ae2a24f265a028f4b9e8df79ea7b075c6cf016 (patch) | |
| tree | 821da445f3c814a50ca560105f33be84f2a3435d /src/backend/utils/misc/guc_tables.c | |
| parent | 0075d78947e3800c5a807f48fd901f16db91101b (diff) | |
| download | postgresql-d3ae2a24f265a028f4b9e8df79ea7b075c6cf016.tar.gz postgresql-d3ae2a24f265a028f4b9e8df79ea7b075c6cf016.zip | |
Add allow_alter_system GUC.
This is marked PGC_SIGHUP, so it can only be set in a configuration
file, not anywhere else; and it is also marked GUC_DISALLOW_IN_AUTO_FILE,
so it can't be set using ALTER SYSTEM. When set to false, the
ALTER SYSTEM command is disallowed.
There was considerable concern that this would be misinterpreted as
a security feature, which it is not, because a determined superuser
has various ways of bypassing it. Hence, a lot of work has gone into
wordsmithing the documentation, in the hopes of avoiding any such
confusion.
Jelte Fennemia-Nio and Gabriele Bartolini, with wording suggestions
for the documentation from many others.
Discussion: http://postgr.es/m/CA%2BVUV5rEKt2%2BCdC_KUaPoihMu%2Bi5ChT4WVNTr4CD5-xXZUfuQw%40mail.gmail.com
Diffstat (limited to 'src/backend/utils/misc/guc_tables.c')
| -rw-r--r-- | src/backend/utils/misc/guc_tables.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c index abd9029451f..92fcd5fa4d5 100644 --- a/src/backend/utils/misc/guc_tables.c +++ b/src/backend/utils/misc/guc_tables.c @@ -494,6 +494,7 @@ extern const struct config_enum_entry dynamic_shared_memory_options[]; /* * GUC option variables that are exported from this module */ +bool AllowAlterSystem = true; bool log_duration = false; bool Debug_print_plan = false; bool Debug_print_parse = false; @@ -1041,6 +1042,22 @@ struct config_bool ConfigureNamesBool[] = NULL, NULL, NULL }, { + /* + * This setting itself cannot be set by ALTER SYSTEM to avoid an + * operator turning this setting off by using ALTER SYSTEM, without a + * way to turn it back on. + */ + {"allow_alter_system", PGC_SIGHUP, COMPAT_OPTIONS_OTHER, + gettext_noop("Allows running the ALTER SYSTEM command."), + gettext_noop("Can be set to off for environments where global configuration " + "changes should be made using a different method."), + GUC_DISALLOW_IN_AUTO_FILE + }, + &AllowAlterSystem, + true, + NULL, NULL, NULL + }, + { {"bonjour", PGC_POSTMASTER, CONN_AUTH_SETTINGS, gettext_noop("Enables advertising the server via Bonjour."), NULL |