Skip site navigation (1) Skip section navigation (2)

Re: Disable access shell command in psql

From: Michael Fuhr <mike(at)fuhr(dot)org>
To: Thiago Maluf <malufrj(at)gmail(dot)com>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: Disable access shell command in psql
Date: 2007-07-23 14:16:35
Message-ID: 20070723141634.GA7388@winnie.fuhr.org (view raw or flat)
Thread:
Lists: pgsql-admin
On Mon, Jul 23, 2007 at 10:59:17AM -0300, Thiago Maluf wrote:
> I have one database server with postgresql 8.1 and I discovered  yesterday
> one  security problem.
> When  I access my server with  thought psql I have the possibility execute
> command in my server using "\!" or write one file using "\e".
> I want disable these options in my server but I searched it and not found.

These psql commands run on the client with the privileges of the
client; they don't allow the client to do anything it couldn't
already do from the shell, and presumably the client already has
access to the shell if it's running psql.  This would be a security
problem if you use psql to run SQL statements from an untrusted
source, but if you're doing that then you already have a security
problem.

-- 
Michael Fuhr

In response to

pgsql-admin by date

Next:From: Tom LaneDate: 2007-07-23 14:26:25
Subject: Re: Disable access shell command in psql
Previous:From: De Leeuw GuyDate: 2007-07-23 14:10:10
Subject: trigger bugs ? and suggestions

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group