Re: Possibility to disable `ALTER SYSTEM`
| От | Magnus Hagander |
|---|---|
| Тема | Re: Possibility to disable `ALTER SYSTEM` |
| Дата | |
| Msg-id | CABUevEyYsuFUDUFW9=M4w3EbsxY9xfKXAxPPWRER9KRr0mEb1A@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Possibility to disable `ALTER SYSTEM` (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: Possibility to disable `ALTER SYSTEM`
|
| Список | pgsql-hackers |
On Tue, Jan 30, 2024 at 10:48 PM Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Robert Haas <robertmhaas@gmail.com> writes: > > There's nothing wrong with that exactly, but what does it gain us over > > my proposal of a sentinel file? > > I was imagining using selinux and/or sepgsql to directly prevent > writing postgresql.auto.conf from the Postgres account. Combine that > with a non-Postgres-owned postgresql.conf (already supported) and you > have something that seems actually bulletproof, rather than a hint. > Admittedly, using that approach requires knowing something about a > non-Postgres security mechanism. Wouldn't a simple "chattr +i postgresql.auto.conf" work? -- Magnus Hagander Me: https://www.hagander.net/ Work: https://www.redpill-linpro.com/
В списке pgsql-hackers по дате отправления: