Skip site navigation (1) Skip section navigation (2)

Re: BUG #1830: Non-super-user must be able to copy from a file

From: Bernard <bht(at)actrix(dot)gen(dot)nz>
To: Bruno Wolff III <bruno(at)wolff(dot)to>
Cc: pgsql-bugs(at)postgresql(dot)org, pgsql-general(at)postgresql(dot)org
Subject: Re: BUG #1830: Non-super-user must be able to copy from a file
Date: 2005-08-18 22:16:29
Message-ID: 9l1ag1djlqiek6i026f5f27nd45ibirqph@4ax.com (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-general
Bruno and interested list members

I want to follow what is suggested here. How are STDIN and STDOUT
addressed when using the JDBC driver?

Or in other words where can I write or receive megabytes of data?

I would not want to append this to the String of a SQL Statement in
Java because that is a String in memory.

Thanks

Bernard


On Wed, 17 Aug 2005 06:51:12 -0500, you wrote:

>On Wed, Aug 17, 2005 at 09:22:16 +0100,
>  Bernard <bht(at)actrix(dot)gen(dot)nz> wrote:
>> 
>> The following bug has been logged online:
>
>This isn't a bug and you really should have asked this question on
>another list. I am moving the discussion over to the general list.
>
>> 
>> Bug reference:      1830
>> Logged by:          Bernard
>> Email address:      bht(at)actrix(dot)gen(dot)nz
>> PostgreSQL version: 8.0.3
>> Operating system:   Linux RedHat 9
>> Description:        Non-super-user must be able to copy from a file
>> Details: 
>> 
>> On the attempt to bulk load a table from a file that is owned by the
>> non-superuser current database user, the following error message is
>> printed:
>> 
>> "must be superuser to COPY to or from a file"
>> 
>> What is the reason for this limitation?
>
>This is described in the documentation for the copy command.
>
>> 
>> It can't justifiably be for security reasons because if a web application
>> such as tomcat requires to bulk load tables automatically on a regular basis
>> then one would be forced to let the web application connect as superuser,
>> which is very bad for security.
>
>No, because you can have the app read the file and then pass the data to
>the copy command. To do this you use STDIN as the file name.
>
>> 
>> In MySQL bulk loading works for all users.
>
>You can use the \copy command in psql to load data from files.
>
>> 
>> We need a Postgresql solution.
>> 
>> We have a web application where both MySQL and Postresql are supported. With
>> Postgresql, the application would have to connect as user postgres. We have
>> to explain this security risk to our clients very clearly.
>> 
>> ---------------------------(end of broadcast)---------------------------
>> TIP 2: Don't 'kill -9' the postmaster
>
>---------------------------(end of broadcast)---------------------------
>TIP 6: explain analyze is your friend


In response to

Responses

pgsql-bugs by date

Next:From: Martijn van OosterhoutDate: 2005-08-18 22:34:40
Subject: Re: [GENERAL] BUG #1830: Non-super-user must be able to copy from a file
Previous:From: Tom LaneDate: 2005-08-18 15:27:50
Subject: Re: BUG #1832: Can't create function in plpgsql which has more than 10 parameters

pgsql-general by date

Next:From: Martijn van OosterhoutDate: 2005-08-18 22:34:40
Subject: Re: [GENERAL] BUG #1830: Non-super-user must be able to copy from a file
Previous:From: Martijn van OosterhoutDate: 2005-08-18 21:29:15
Subject: Re: total db lockup

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group