Re: TR: Re: TR: interface PERL and return results

From: rmunn(at)pobox(dot)com
To: "victor3(dot)lopes(at)voila(dot)fr" <victor3(dot)lopes(at)voila(dot)fr>
Cc: pgsql-interfaces <pgsql-interfaces(at)postgresql(dot)org>
Subject: Re: TR: Re: TR: interface PERL and return results
Date: 2002-10-11 14:22:46
Message-ID: 20021011142246.GA4741@rmunnlfs
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-interfaces

On Fri, Oct 11, 2002 at 10:34:43AM +0200, victor3(dot)lopes(at)voila(dot)fr wrote:
> > > DEBUG: ProcessUtility: COPY temp FROM '-- my path -- /result.res'
> > > ERROR: You must have Postgres superuser privilege to do a COPY directly to or from a
> > > file. Anyone can COPY to stdout or from stdin. Psql's \copy command also works for
> > > anyone.
> > > ....
> > >
> > > I don't understand why this error because the superuser postgres (who had create for
> > > launch the server) have the privilege
> > > for access and read this file.
> >
> > In your Perl script, what user and password did you use to connect to
> > the database?
> Indeed my user is http and is not the superuser. In my host superuser postgresql is user postgres.
>
> >You need to *connect* as the Postgres superuser (which is
> > almost always the user named 'postgres').
> >
> > If you are connected as user postgres then your COPY command should
> > work.
> >
> > --
> > Robin Munn
> > rmunn(at)pobox(dot)com
>
> Ok, thanks for this information, but i find it's a pity because on all my code i use the user http for to access
> tables and I do not see why it would be necessary that I connect differently to use command Copy : - ( for
> access directly to my file.
> Perhaps a problem of security ?

Yes, the reason for this is security reasons. If anyone could read from
any file, then it would be easy to read, say, '/etc/passwd' into a
database table. And if anyone could write to any file, you might be able
to clobber important security files like /etc/passwd, or just do a
denial-of-service attack by writing gigabytes and gigabytes until the
disk fills up.

Anytime you give direct access to the hard disk, in any way at all, to a
user connecting from the Web, you have created a LOT of security
problems. That's why file access is limited only to the postgres
superuser. It's better not to allow file access from the web AT ALL, but
if you really must, then you can use the postgres superuser -- but be
certain that you know what you're doing.

--
Robin Munn
rmunn(at)pobox(dot)com

In response to

Browse pgsql-interfaces by date

  From Date Subject
Next Message Jean-Luc Lachance 2002-10-11 14:31:50 Re: TR: Re: TR: interface PERL and return results
Previous Message Vit Prucha 2002-10-11 10:45:01 Borland builder libpg or libpg++