Re: Revoke "drop database" even for superusers?

Andres Freund <andres@anarazel.de> writes:
> On 2012-11-09 12:42:37 +0100, Albe Laurenz wrote:
>> You cannot play it over permissions, but what about the following trick:
>>
>> postgres=# CREATE DATABASE persist;
>> CREATE DATABASE
>> postgres=# UPDATE pg_database SET datistemplate=TRUE WHERE
>> datname='persist';
>> UPDATE 1
>> postgres=# DROP DATABASE persist;
>> ERROR:  cannot drop a template database

> Not a good idea, autovacuum will use a freeze_min_age of 0 in that
> case which will make it heaps more expensive. Also it allows everyone to
> copy that database not only its owner/superuser.
> I think there might be even more unexpected consequences of playing that
> trick.

It seems pretty pointless in any case, since a superuser could just undo
the UPDATE and then drop the database.

If what you're trying to avoid is accidental, rather than malicious,
drops, here's something that would be a lot more useful: avoid using
superuser accounts as much as you possibly can.  There are not that
many things that you really need to use superuser privileges for.

            regards, tom lane