It was already possible to configure this in a container with permissions.

btilly · 2024-04-21T21:57:57 1713736677

I can neither confirm nor deny that of my own knowledge.

I'll merely say that if it is possible, then I'd expect this detail to have been in the article. Because the existence of an acceptable solution for the use case would have been an important part of the discussion.

As evidence for my point of view, the article early on points out that Tom Lane thought that there was a way to do it. And even described how to do it. But it turned out that he was wrong.

Now I'd be shocked if either of us knew PostgreSQL nearly as well as https://en.wikipedia.org/wiki/Tom_Lane_(computer_scientist). The fact that he thought there was a way to do it makes it reasonable that you'd think the same. The fact that he couldn't come up with a way to do it without changing PostgreSQL suggests that, like he was initially, you're wrong.

But as I say, my evidence is circumstantial. And I'd be open to learning what it is in case I ever again wind up setting up PostgreSQL on an old version for a containerized system. Though in a new system I'd prefer to use the mechanism created specifically for this purpose.

camgunz · 2024-04-21T23:30:54 1713742254

Oh all I'm saying is you can set the conf file to read-only. Basically this entire feature is "we want a nice error message".

kidbomb · 2024-04-22T00:55:24 1713747324

That's how I see it too. Not security, but developer experience. You set the file as readonly, but provide a message to PostgreSQL superuser that this is as intended

int_19h · 2024-04-22T02:37:09 1713753429

This is discussed in LWN comments, in fact. But the problem there is that the protocol used to communicate the fact that the file is read-only to the application (errno==EACCESS or equivalent on other platforms) does not provide any useful way for the system administrator who makes the file read-only to add a notice explaining why permission is denied, in a way that it is also communicated to the app - so that it could display it to the user.

So the proper solution to this whole thing would be for the OS to provide such a facility: "permission X is denied to Y because Z". This seems like a useful facility in general, come to think of it. But it would have taken more time and effort, and would require buy-in from more parties, some of whom might be very hostile to this notion (e.g. I don't think it would be an easy thing on Linux). No wonder that this isn't an option that is even contemplated as realistic.

And so instead we got yet another easy-to-make crutch in the tower of crutches and duck tape that is modern software.

emmelaich · 2024-04-22T01:20:29 1713748829

There seems to be major lack of communication in the threads as evidenced by Tom Lane's "I never objected to the idea of being able to disable ALTER SYSTEM"

I guess a technical understanding of Postgresql leads to different thoughts than your average working dev/devops/ops person.

Which, TBF characterizes a lot of tech discussions.