Stephen Frost <sfr...@snowman.net> writes: > * Andres Freund (and...@anarazel.de) wrote: >> You can just revoke permissions on the file if necessary. Results in the >> expected >> ERROR: XX000: could not open file "../postgresql.auto.conf": Permission >> denied
> Yes, I know, but that's a really grotty way of offering a way to disable > ALTER SYSTEM. It's also not exactly intuitive to someone reading the > release notes or working on upgrading their existing postgresql.conf. While I won't stand in the way if someone is dead set on providing a disable switch for ALTER SYSTEM, I fail to see the point of one. It's a superuser-only feature to begin with, and if you are handing out superuser on production-critical installations to people you don't trust completely, you need to have your head examined. As a directly comparable example, I note that you yourself were in favor of getting rid of rolcatupdate, which was the only mechanism we ever had that could prevent a superuser from destroying the catalogs entirely with a mistyped update --- consider "DELETE FROM pg_proc", for example, which unlike ALTER SYSTEM there is simply no way to recover from. How is it that we don't need rolcatupdate but we do need a way to shut off ALTER SYSTEM? Doesn't compute, IMO. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers