From 983b7f73aac7933f743861815e79667b08c3d1f0 Mon Sep 17 00:00:00 2001 From: Gabriele Bartolini Date: Fri, 8 Sep 2023 20:25:36 +0200 Subject: [PATCH v10] Add allow_alter_system GUC Introduce the allow_alter_system GUC (by default set to on). This GUC can be used as a guard rail to prevent accidental usage of ALTER SYSTEM in environments where that is not the intended way to make global configuration changes. Author: Gabriele Bartolini Author: Jelte Fennema-Nio --- doc/src/sgml/config.sgml | 51 ++++++++++++++++++- doc/src/sgml/ref/alter_system.sgml | 8 +++ src/backend/utils/misc/guc.c | 9 ++++ src/backend/utils/misc/guc_tables.c | 17 +++++++ src/backend/utils/misc/postgresql.conf.sample | 1 + src/include/utils/guc.h | 1 + src/include/utils/guc_tables.h | 3 ++ 7 files changed, 89 insertions(+), 1 deletion(-) diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 5468637e2ef..70ab96d9c2e 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -199,7 +199,8 @@ shared_buffers = 128MB External tools may also modify postgresql.auto.conf. It is not - recommended to do this while the server is running, since a + recommended to do this while the server is running unless is set to off, since a concurrent ALTER SYSTEM command could overwrite such changes. Such tools might simply append new settings to the end, or they might choose to remove duplicate settings and/or comments @@ -10767,6 +10768,54 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir' + + allow_alter_system (boolean) + + allow_alter_system configuration parameter + + + + + When allow_alter_system is set to + off, an error is returned if the ALTER + SYSTEM command is executed. This parameter can only be set in + the postgresql.conf file or on the server command + line. The default value is on. + + + + Note that this setting must not be regarded as a security feature. It + only disables the ALTER SYSTEM command. It does not + prevent a superuser from changing the configuration using other SQL + commands. A superuser has many ways of executing shell commands at + the operating system level, and can therefore modify + postgresql.auto.conf regardless of the value of + this setting. + + + + Turning this setting off is intended for environments where the + configuration of PostgreSQL is managed by + some external tool. + In such environments, a well intentioned superuser might + mistakenly use ALTER SYSTEM + to change the configuration instead of using the external tool. + Which might result in unintended behavior, such as the external tool + discarding the change at some later point in time when it updates the + configuration. + Setting this parameter to off can + help avoid such mistakes. + + + + This parameter only controls the use of ALTER SYSTEM. + The settings stored in postgresql.auto.conf + take effect even if allow_alter_system is set to + off. + + + + diff --git a/doc/src/sgml/ref/alter_system.sgml b/doc/src/sgml/ref/alter_system.sgml index bea5714ba1a..8f580ab9a68 100644 --- a/doc/src/sgml/ref/alter_system.sgml +++ b/doc/src/sgml/ref/alter_system.sgml @@ -104,6 +104,7 @@ ALTER SYSTEM RESET ALL This command can't be used to set , + , nor parameters that are not allowed in postgresql.conf (e.g., preset options). @@ -111,6 +112,13 @@ ALTER SYSTEM RESET ALL See for other ways to set the parameters. + + + ALTER SYSTEM can be disabled by setting + to off, but this + is no security mechanism (as explained in detail in the documentation for + this parameter). + diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 391866145ee..df8f08ee68d 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -4563,6 +4563,15 @@ AlterSystemSetConfigFile(AlterSystemStmt *altersysstmt) */ name = altersysstmt->setstmt->name; + if (!AllowAlterSystem) + { + + ereport(ERROR, + (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), + errmsg("ALTER SYSTEM is not allowed in this environment"), + errhint("Global configuration changes should be made through a configuration system outside of PostgreSQL, not by using ALTER SYSTEM."))); + } + switch (altersysstmt->setstmt->kind) { case VAR_SET_VALUE: diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c index abd9029451f..92fcd5fa4d5 100644 --- a/src/backend/utils/misc/guc_tables.c +++ b/src/backend/utils/misc/guc_tables.c @@ -494,6 +494,7 @@ extern const struct config_enum_entry dynamic_shared_memory_options[]; /* * GUC option variables that are exported from this module */ +bool AllowAlterSystem = true; bool log_duration = false; bool Debug_print_plan = false; bool Debug_print_parse = false; @@ -1040,6 +1041,22 @@ struct config_bool ConfigureNamesBool[] = false, NULL, NULL, NULL }, + { + /* + * This setting itself cannot be set by ALTER SYSTEM to avoid an + * operator turning this setting off by using ALTER SYSTEM, without a + * way to turn it back on. + */ + {"allow_alter_system", PGC_SIGHUP, COMPAT_OPTIONS_OTHER, + gettext_noop("Allows running the ALTER SYSTEM command."), + gettext_noop("Can be set to off for environments where global configuration " + "changes should be made using a different method."), + GUC_DISALLOW_IN_AUTO_FILE + }, + &AllowAlterSystem, + true, + NULL, NULL, NULL + }, { {"bonjour", PGC_POSTMASTER, CONN_AUTH_SETTINGS, gettext_noop("Enables advertising the server via Bonjour."), diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 2244ee52f79..adcc0257f91 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -805,6 +805,7 @@ # - Other Platforms and Clients - #transform_null_equals = off +#allow_alter_system = on #------------------------------------------------------------------------------ diff --git a/src/include/utils/guc.h b/src/include/utils/guc.h index 3712aba09b0..8d1fe04078a 100644 --- a/src/include/utils/guc.h +++ b/src/include/utils/guc.h @@ -254,6 +254,7 @@ extern PGDLLIMPORT bool log_btree_build_stats; extern PGDLLIMPORT bool check_function_bodies; extern PGDLLIMPORT bool current_role_is_superuser; +extern PGDLLIMPORT bool AllowAlterSystem; extern PGDLLIMPORT bool log_duration; extern PGDLLIMPORT int log_parameter_max_length; extern PGDLLIMPORT int log_parameter_max_length_on_error; diff --git a/src/include/utils/guc_tables.h b/src/include/utils/guc_tables.h index 0c0277c4230..bfc457bc55c 100644 --- a/src/include/utils/guc_tables.h +++ b/src/include/utils/guc_tables.h @@ -320,4 +320,7 @@ extern char *config_enum_get_options(struct config_enum *record, const char *suffix, const char *separator); +/* GUC reference to enable/disable alter system */ +extern PGDLLIMPORT bool AllowAlterSystem; + #endif /* GUC_TABLES_H */ base-commit: 427005742bd2efdcee0f361e17d1a76664ff001b -- 2.34.1