On Wed, 20 Mar 2024 at 14:04, Greg Sabino Mullane <htamf...@gmail.com> wrote: >> >> As a bonus, if that GUC is set, we could even check at server startup that >> all the configuration files are not writable by the postgres user, >> and print a warning or refuse to start up if they are. > > > Ugh, please let's not do this. This was bouncing around in my head last > night, and this is really a quite radical change - especially just to handle > the given ask, which is to prevent a specific command from running. Not > implement a brand new security system. There are so many ways this could go > wrong if we start having separate permissions for some of our files. In > addition to backups and other tools that need to write to the conf files as > the postgres user, what about systems that create a new cluster automatically > e.g. Patroni? It will now need elevated privs just to create the conf files > and assign the new ownership to them. Lots of moving pieces there and ways > things could go wrong. So a big -1 from me, as they say/ :)
Well put. I don't think the effort of making all tooling handle this correctly is worth the benefit that it brings. afaict everyone on this thread that actually wants to use this feature would be happy with the functionality that the current patch provides (i.e. having postgresql.auto.conf writable, but having ALTER SYSTEM error out).
