<para>
External tools may also
modify <filename>postgresql.auto.conf</filename>. It is not
- recommended to do this while the server is running, since a
+ recommended to do this while the server is running unless <xref
+ linkend="guc-allow-alter-system"/> is set to <literal>off</literal>, since a
concurrent <command>ALTER SYSTEM</command> command could overwrite
such changes. Such tools might simply append new settings to the end,
or they might choose to remove duplicate settings and/or comments
</listitem>
</varlistentry>
+ <varlistentry id="guc-allow-alter-system" xreflabel="allow_alter_system">
+ <term><varname>allow_alter_system</varname> (<type>boolean</type>)
+ <indexterm>
+ <primary><varname>allow_alter_system</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ When <literal>allow_alter_system</literal> is set to
+ <literal>off</literal>, an error is returned if the <command>ALTER
+ SYSTEM</command> command is executed. This parameter can only be set in
+ the <filename>postgresql.conf</filename> file or on the server command
+ line. The default value is <literal>on</literal>.
+ </para>
+
+ <para>
+ Note that this setting must not be regarded as a security feature. It
+ only disables the <literal>ALTER SYSTEM</literal> command. It does not
+ prevent a superuser from changing the configuration using other SQL
+ commands. A superuser has many ways of executing shell commands at
+ the operating system level, and can therefore modify
+ <literal>postgresql.auto.conf</literal> regardless of the value of
+ this setting.
+ </para>
+
+ <para>
+ Turning this setting off is intended for environments where the
+ configuration of <productname>PostgreSQL</productname> is managed by
+ some external tool.
+ In such environments, a well intentioned superuser might
+ <emphasis>mistakenly</emphasis> use <command>ALTER SYSTEM</command>
+ to change the configuration instead of using the external tool.
+ This might result in unintended behavior, such as the external tool
+ overwriting the change at some later point in time when it updates the
+ configuration.
+ Setting this parameter to <literal>off</literal> can
+ help avoid such mistakes.
+ </para>
+
+ <para>
+ This parameter only controls the use of <command>ALTER SYSTEM</command>.
+ The settings stored in <filename>postgresql.auto.conf</filename>
+ take effect even if <literal>allow_alter_system</literal> is set to
+ <literal>off</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</sect2>
</sect1>
<para>
This command can't be used to set <xref linkend="guc-data-directory"/>,
+ <xref linkend="guc-allow-alter-system"/>,
nor parameters that are not allowed in <filename>postgresql.conf</filename>
(e.g., <link linkend="runtime-config-preset">preset options</link>).
</para>
<para>
See <xref linkend="config-setting"/> for other ways to set the parameters.
</para>
+
+ <para>
+ <literal>ALTER SYSTEM</literal> can be disabled by setting
+ <xref linkend="guc-allow-alter-system"/> to <literal>off</literal>, but this
+ is not a security mechanism (as explained in detail in the documentation for
+ this parameter).
+ </para>
</refsect1>
<refsect1>
/*
* GUC option variables that are exported from this module
*/
+bool AllowAlterSystem = true;
bool log_duration = false;
bool Debug_print_plan = false;
bool Debug_print_parse = false;
false,
NULL, NULL, NULL
},
+ {
+ /*
+ * This setting itself cannot be set by ALTER SYSTEM to avoid an
+ * operator turning this setting off by using ALTER SYSTEM, without a
+ * way to turn it back on.
+ */
+ {"allow_alter_system", PGC_SIGHUP, COMPAT_OPTIONS_OTHER,
+ gettext_noop("Allows running the ALTER SYSTEM command."),
+ gettext_noop("Can be set to off for environments where global configuration "
+ "changes should be made using a different method."),
+ GUC_DISALLOW_IN_AUTO_FILE
+ },
+ &AllowAlterSystem,
+ true,
+ NULL, NULL, NULL
+ },
{
{"bonjour", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
gettext_noop("Enables advertising the server via Bonjour."),
projects / postgresql.git / commitdiff