{"id":30644,"date":"2024-02-01T13:58:39","date_gmt":"2024-02-01T12:58:39","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/?p=30644"},"modified":"2024-02-01T13:58:41","modified_gmt":"2024-02-01T12:58:41","slug":"disabling-alter-system-in-postgresql","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/","title":{"rendered":"Disabling &#8220;alter system&#8221; in PostgreSQL?"},"content":{"rendered":"\n<p>Last year there started an <a href=\"https:\/\/www.postgresql.org\/message-id\/CA%2BVUV5rEKt2%2BCdC_KUaPoihMu%2Bi5ChT4WVNTr4CD5-xXZUfuQw%40mail.gmail.com\" target=\"_blank\" rel=\"noreferrer noopener\">interesting discussion<\/a> on the PostgreSQL development mailing list: Would it make sense to implement something in PostgreSQL which can be used to disable the &#8220;<a href=\"https:\/\/www.postgresql.org\/docs\/current\/sql-altersystem.html\">alter system<\/a>&#8221; command even for superusers? The request comes out of the container \/ K8s world, where parameters are usually set using a declarative way and it might make sense to disallow this even for superusers. If you read the thread you&#8217;ll learn about the pros and cons of such a feature, as always, but there is something you can do even today which I was not aware of, even if it is obvious once you&#8217;ve seen it.<\/p>\n\n\n\n<p>Lets quickly have a look at what &#8220;alter system&#8221; is doing. Once you change a parameter using &#8220;alter system&#8221; this parameter change gets either added to &#8220;postgresql.auto.conf&#8221; if it is not there, or overwritten if it is there already:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: sql; highlight: [1,3,5,7]; title: ; notranslate\" title=\"\">\npostgres=# alter system set work_mem=&#039;11MB&#039;;\nALTER SYSTEM\npostgres=# \\! tail -1 $PGDATA\/postgresql.auto.conf\nwork_mem = &#039;11MB&#039;\npostgres=# alter system set work_mem=&#039;12MB&#039;;\nALTER SYSTEM\npostgres=# \\! tail -1 $PGDATA\/postgresql.auto.conf\nwork_mem = &#039;12MB&#039;\n<\/pre><\/div>\n\n\n<p>Of course you either need to reload or even restart PostgreSQL to make this active, but this is how it works for &#8220;alter system&#8221; in general.<\/p>\n\n\n\n<p>Disallowing &#8220;alter system&#8221; for even the super user is surprising simple. You can for example do it like this:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: sql; highlight: [1,2]; title: ; notranslate\" title=\"\">\npostgres=# \\! sudo chattr +i $PGDATA\/postgresql.auto.conf\npostgres=# alter system set work_mem=&#039;12MB&#039;;\nERROR:  could not open file &quot;postgresql.auto.conf&quot;: Operation not permitted\n<\/pre><\/div>\n\n\n<p><a href=\"https:\/\/man7.org\/linux\/man-pages\/man1\/chattr.1.html\" target=\"_blank\" rel=\"noreferrer noopener\">chattr +i<\/a> will disable any write access to the file and even will prevent deletion of the file. Another option is to give the file to someone else than the operating system user which is running the instance:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: sql; highlight: [1,2,4,5,6]; title: ; notranslate\" title=\"\">\npostgres=# ! sudo chattr -i $PGDATA\/postgresql.auto.conf\npostgres=# alter system set work_mem=&#039;12MB&#039;;\nALTER SYSTEM\npostgres=# ! sudo chown root:root $PGDATA\/postgresql.auto.conf\npostgres=# ! sudo chmod 600 $PGDATA\/postgresql.auto.conf\npostgres=# alter system set work_mem=&#039;12MB&#039;;\nERROR: could not open file &quot;postgresql.auto.conf&quot;: Permission denied\n<\/pre><\/div>\n\n\n<p>The same will of course work for all other configuration files in the data directory.<\/p>\n\n\n\n<p>You may also <a href=\"https:\/\/www.dbi-services.com\/blog\/postgresql-15-more-flexibility-with-setting-parameters\/\" target=\"_blank\" rel=\"noreferrer noopener\">check here<\/a> for more options about how users can be granted permissions to set specific parameters.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last year there started an interesting discussion on the PostgreSQL development mailing list: Would it make sense to implement something in PostgreSQL which can be used to disable the &#8220;alter system&#8221; command even for superusers? The request comes out of the container \/ K8s world, where parameters are usually set using a declarative way and [&hellip;]<\/p>\n","protected":false},"author":29,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[229,198],"tags":[77],"type_dbi":[],"class_list":["post-30644","post","type-post","status-publish","format-standard","hentry","category-database-administration-monitoring","category-database-management","tag-postgresql"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Disabling &quot;alter system&quot; in PostgreSQL? - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Disabling &quot;alter system&quot; in PostgreSQL?\" \/>\n<meta property=\"og:description\" content=\"Last year there started an interesting discussion on the PostgreSQL development mailing list: Would it make sense to implement something in PostgreSQL which can be used to disable the &#8220;alter system&#8221; command even for superusers? The request comes out of the container \/ K8s world, where parameters are usually set using a declarative way and [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-02-01T12:58:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-01T12:58:41+00:00\" \/>\n<meta name=\"author\" content=\"Daniel Westermann\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@westermanndanie\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Daniel Westermann\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/\"},\"author\":{\"name\":\"Daniel Westermann\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66\"},\"headline\":\"Disabling &#8220;alter system&#8221; in PostgreSQL?\",\"datePublished\":\"2024-02-01T12:58:39+00:00\",\"dateModified\":\"2024-02-01T12:58:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/\"},\"wordCount\":272,\"commentCount\":0,\"keywords\":[\"PostgreSQL\"],\"articleSection\":[\"Database Administration &amp; Monitoring\",\"Database management\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/\",\"name\":\"Disabling \\\"alter system\\\" in PostgreSQL? - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2024-02-01T12:58:39+00:00\",\"dateModified\":\"2024-02-01T12:58:41+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Disabling &#8220;alter system&#8221; in PostgreSQL?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66\",\"name\":\"Daniel Westermann\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g\",\"caption\":\"Daniel Westermann\"},\"description\":\"Daniel Westermann is Principal Consultant and Technology Leader Open Infrastructure at dbi services. He has more than 15 years of experience in management, engineering and optimization of databases and infrastructures, especially on Oracle and PostgreSQL. Since the beginning of his career, he has specialized in Oracle Technologies and is Oracle Certified Professional 12c and Oracle Certified Expert RAC\/GridInfra. Over time, Daniel has become increasingly interested in open source technologies, becoming \u201cTechnology Leader Open Infrastructure\u201d and PostgreSQL expert. \u00a0Based on community or EnterpriseDB tools, he develops and installs complex high available solutions with PostgreSQL. He is also a certified PostgreSQL Plus 9.0 Professional and a Postgres Advanced Server 9.4 Professional. He is a regular speaker at PostgreSQL conferences in Switzerland and Europe. Today Daniel is also supporting our customers on AWS services such as AWS RDS, database migrations into the cloud, EC2 and automated infrastructure management with AWS SSM (System Manager). He is a certified AWS Solutions Architect Professional. Prior to dbi services, Daniel was Management System Engineer at LC SYSTEMS-Engineering AG in Basel. Before that, he worked as Oracle Developper &amp;\u00a0Project Manager at Delta Energy Solutions AG in Basel (today Powel AG). Daniel holds a diploma in Business Informatics (DHBW, Germany). His branch-related experience mainly covers the pharma industry, the financial sector, energy, lottery and telecommunications.\",\"sameAs\":[\"https:\/\/x.com\/westermanndanie\"],\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/daniel-westermann\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Disabling \"alter system\" in PostgreSQL? - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/","og_locale":"en_US","og_type":"article","og_title":"Disabling \"alter system\" in PostgreSQL?","og_description":"Last year there started an interesting discussion on the PostgreSQL development mailing list: Would it make sense to implement something in PostgreSQL which can be used to disable the &#8220;alter system&#8221; command even for superusers? The request comes out of the container \/ K8s world, where parameters are usually set using a declarative way and [&hellip;]","og_url":"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/","og_site_name":"dbi Blog","article_published_time":"2024-02-01T12:58:39+00:00","article_modified_time":"2024-02-01T12:58:41+00:00","author":"Daniel Westermann","twitter_card":"summary_large_image","twitter_creator":"@westermanndanie","twitter_misc":{"Written by":"Daniel Westermann","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/"},"author":{"name":"Daniel Westermann","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66"},"headline":"Disabling &#8220;alter system&#8221; in PostgreSQL?","datePublished":"2024-02-01T12:58:39+00:00","dateModified":"2024-02-01T12:58:41+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/"},"wordCount":272,"commentCount":0,"keywords":["PostgreSQL"],"articleSection":["Database Administration &amp; Monitoring","Database management"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/","url":"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/","name":"Disabling \"alter system\" in PostgreSQL? - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2024-02-01T12:58:39+00:00","dateModified":"2024-02-01T12:58:41+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/disabling-alter-system-in-postgresql\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Disabling &#8220;alter system&#8221; in PostgreSQL?"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d08e9bd996a89bd75c0286cbabf3c66","name":"Daniel Westermann","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/31350ceeecb1dd8986339a29bf040d4cd3cd087d410deccd8f55234466d6c317?s=96&d=mm&r=g","caption":"Daniel Westermann"},"description":"Daniel Westermann is Principal Consultant and Technology Leader Open Infrastructure at dbi services. He has more than 15 years of experience in management, engineering and optimization of databases and infrastructures, especially on Oracle and PostgreSQL. Since the beginning of his career, he has specialized in Oracle Technologies and is Oracle Certified Professional 12c and Oracle Certified Expert RAC\/GridInfra. Over time, Daniel has become increasingly interested in open source technologies, becoming \u201cTechnology Leader Open Infrastructure\u201d and PostgreSQL expert. \u00a0Based on community or EnterpriseDB tools, he develops and installs complex high available solutions with PostgreSQL. He is also a certified PostgreSQL Plus 9.0 Professional and a Postgres Advanced Server 9.4 Professional. He is a regular speaker at PostgreSQL conferences in Switzerland and Europe. Today Daniel is also supporting our customers on AWS services such as AWS RDS, database migrations into the cloud, EC2 and automated infrastructure management with AWS SSM (System Manager). He is a certified AWS Solutions Architect Professional. Prior to dbi services, Daniel was Management System Engineer at LC SYSTEMS-Engineering AG in Basel. Before that, he worked as Oracle Developper &amp;\u00a0Project Manager at Delta Energy Solutions AG in Basel (today Powel AG). Daniel holds a diploma in Business Informatics (DHBW, Germany). His branch-related experience mainly covers the pharma industry, the financial sector, energy, lottery and telecommunications.","sameAs":["https:\/\/x.com\/westermanndanie"],"url":"https:\/\/www.dbi-services.com\/blog\/author\/daniel-westermann\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/30644","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=30644"}],"version-history":[{"count":8,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/30644\/revisions"}],"predecessor-version":[{"id":30653,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/30644\/revisions\/30653"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=30644"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=30644"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=30644"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=30644"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}