Re: Possibility to disable `ALTER SYSTEM`

On Thu, Mar 28, 2024 at 12:43:29AM +0100, Jelte Fennema-Nio wrote:
> +     <varlistentry id="guc-allow-alter-system" xreflabel="allow_alter_system">
> +      <term><varname>allow_alter_system</varname> (<type>boolean</type>)
> +      <indexterm>
> +       <primary><varname>allow_alter_system</varname> configuration parameter</primary>
> +      </indexterm>
> +      </term>
> +      <listitem>
> +       <para>
> +        When <literal>allow_alter_system</literal> is set to
> +        <literal>off</literal>, an error is returned if the <command>ALTER
> +        SYSTEM</command> command is used. This parameter can only be set in

"command is used." -> "command is issued." ?

> +        the <filename>postgresql.conf</filename> file or on the server command
> +        line. The default value is <literal>on</literal>.
> +       </para>
> +
> +       <para>
> +        Note that this setting cannot be regarded as a security feature. It

"setting cannot be regarded" -> "setting should not be regarded"

> +        only disables the <literal>ALTER SYSTEM</literal> command. It does not
> +        prevent a superuser from changing the configuration using other SQL
> +        commands. A superuser has many ways of executing shell commands at
> +        the operating system level, and can therefore modify
> +        <literal>postgresql.auto.conf</literal> regardless of the value of
> +        this setting.

I like that you explained how this can be bypassed.

> +
> +       <para>
> +        Turning this setting off is intended for environments where the
> +        configuration of <productname>PostgreSQL</productname> is managed by
> +        some outside mechanism.
> +        In such environments, a well intenioned superuser user might
> +        <emphasis>mistakenly</emphasis> use <command>ALTER SYSTEM</command>
> +        to change the configuration instead of using the outside mechanism.
> +        This might even appear to update the configuration as intended, but

"This might even appear to update" -> "This might temporarily update"

> +        then might be discarded at some point in the future when that outside

"that outside" -> "the outside"

> +        mechanism updates the configuration.
> +        Setting this parameter to <literal>off</literal> can
> +        help to avoid such mistakes.

"help to avoid" ->  "help avoid"

> +       </para>
> +
> +       <para>
> +        This parameter only controls the use of <command>ALTER SYSTEM</command>.
> +        The settings stored in <filename>postgresql.auto.conf</filename> always

"always" -> "still"

Should this paragraph be moved after or as part of the paragraph about
modifying postgresql.auto.conf?

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Only you can decide what is important to you.