| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Ignat Remizov <ignat980(at)gmail(dot)com> |
| Cc: | Ashutosh Bapat <ashutosh(dot)bapat(dot)oss(at)gmail(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: [PATCH] Add enable_copy_program GUC to control COPY PROGRAM |
| Date: | 2025-12-03 15:02:44 |
| Message-ID: | 639239.1764774164@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Ignat Remizov <ignat980(at)gmail(dot)com> writes:
> pg_execute_server_program is sufficient for non‑superusers, but superusers
> always bypass it. In the incident that prompted this, the attacker obtained
> superuser via weak/default creds on an exposed instance (common in shared
> dev
> or staging setups). From there, COPY PROGRAM is the simplest, most common
> RCE
> vector used by botnets. The GUC is a defense‑in‑depth knob to let an admin
> disable that specific path even for superuser, while leaving the feature
> available by default for existing users.
This argument is nonsense, because if you've got superuser you can
just change the GUC's setting again. Not to mention all the *other*
ways that a superuser can break out to the OS level. I don't think
this proposal adds anything except more complication, which is not
a good attribute for security-critical considerations.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2025-12-03 15:13:55 | Re: Remove useless pointer advance in StatsShmemInit() |
| Previous Message | Matthias van de Meent | 2025-12-03 15:02:17 | Re: Use func(void) for functions with no parameters |