On Mon, Mar 25, 2024 at 7:27 PM Tom Lane <t...@sss.pgh.pa.us> wrote:
> Robert Haas <robertmh...@gmail.com> writes: > > OK, great. The latest patch doesn't specifically talk about backing it > > up with filesystem-level controls, but it does clearly say that this > > feature is not going to stop a determined superuser from bypassing the > > feature, which I think is the appropriate level of detail. We don't > > actually know whether a user has filesystem-level controls available > > on their system that are equal to the task; certainly chmod isn't good > > enough, unless you can prevent the superuser from just running chmod > > again, which you probably can't. An FS-level immutable flag or some > > other kind of OS-level wizardry might well get the job done, but I > > don't think our documentation needs to speculate about that. > > True. For postgresql.conf, you can put it outside the data directory > and make it be owned by some other user, and the job is done. It's > harder for postgresql.auto.conf because that always lives in the data > directory which is necessarily postgres-writable, so even if you > did those two things to it the superuser could just rename or > remove it and then write postgresql.auto.conf of his choosing. > Just to add to that -- if you use chattr +i on it, the superuser in postgres won't be able to rename it -- only the actual root user. Just chowning it won't help of course, then the rename part works. -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
