On Tue, Mar 19, 2024 at 2:28 PM Magnus Hagander <mag...@hagander.net> wrote:
> On Tue, Mar 19, 2024 at 3:52 PM Tom Lane <t...@sss.pgh.pa.us> wrote: > > > > Heikki Linnakangas <hlinn...@iki.fi> writes: > > > Perhaps we could make that even better with a GUC though. I propose a > > > GUC called 'configuration_managed_externally = true / false". If you > set > > > it to true, we prevent ALTER SYSTEM and make the error message more > > > definitive: > > > > > postgres=# ALTER SYSTEM SET wal_level TO minimal; > > > ERROR: configuration is managed externally > > > > > As a bonus, if that GUC is set, we could even check at server startup > > > that all the configuration files are not writable by the postgres user, > > > and print a warning or refuse to start up if they are. > > > > I like this idea. The "bonus" is not optional though, because > > setting the files' ownership/permissions is the only way to be > > sure that the prohibition is even a little bit bulletproof. > > > > One small issue: how do we make that work on Windows? Have recent > > versions grown anything that looks like real file permissions? > > Windows has had full ACL support since 1993. The easiest way to do > what you're doing here is to just set a DENY permission on the > postgres operating system user. > > > > Yeah. See < https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls> for example. cheers andrew