| From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
|---|---|
| To: | Steve Chavez <steve(at)supabase(dot)io>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Support a`--with-copy-program` compile flag |
| Date: | 2025-11-12 18:23:04 |
| Message-ID: | 6ab1546e-5bb9-4408-8495-81373504e3ab@iki.fi |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 12/11/2025 20:07, Steve Chavez wrote:
> Hello hackers,
>
> Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is
> dangerous from a security perspective because it allows users to escape
> from the SQL sandbox and gain shell access on the instance.
>
> Now there's the `pg_execute_server_program` predefined role to restrict
> access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains
> superuser privileges then the predefined role is of no use.
>
> So I wonder if we could remove the possibility of shell access by
> providing a `--with-copy-program` compile flag.
If you are superuser, there are many other ways you can gain shell
access. There is no security boundary there.
See e.g.
https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/
- Heikki
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2025-11-12 18:37:40 | Re: Support a`--with-copy-program` compile flag |
| Previous Message | Steve Chavez | 2025-11-12 18:07:27 | Support a`--with-copy-program` compile flag |