Quick Links

Re: Hardening PostgreSQL via (optional) ban on local file system access

From:	Andrey Borodin <x4mmm(at)yandex-team(dot)ru>
To:	Hannu Krosing <hannuk(at)google(dot)com>
Cc:	pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, Robert Pang <robertpang(at)google(dot)com>
Subject:	Re: Hardening PostgreSQL via (optional) ban on local file system access
Date:	2022-06-25 17:17:28
Message-ID:	84B1DBFF-F0AF-40F1-B4AB-F2988839F13C@yandex-team.ru
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

> On 25 Jun 2022, at 03:08, Hannu Krosing <hannuk(at)google(dot)com> wrote:
>
> Currently the file system access is controlled via being a SUPREUSER

My 2 cents. Ongoing work on making superuser access unneeded seems much more relevant to me.
IMO superuser == full OS access available from postgres process. I think there's uncountable set of ways to affect OS from superuser.
E.g. you can create a TOAST value compressed by pglz that allows you to look few kilobytes before detoasted datum. Or make an archive_command = 'gcc my shell code'.
It's not even funny to invent things that you can hack as a superuser.

Best regards, Andrey Borodin.

In response to

Hardening PostgreSQL via (optional) ban on local file system access at 2022-06-24 22:08:13 from Hannu Krosing

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Andrey Borodin	2022-06-25 19:10:11	Re: Amcheck verification of GiST and GIN
Previous Message	Noah Misch	2022-06-25 17:15:33	Re: Postgres perl module namespace