| From: | John McKown <john(dot)archie(dot)mckown(at)gmail(dot)com> |
|---|---|
| To: | PostgreSQL General <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: How to stop script executions |
| Date: | 2016-07-26 14:23:15 |
| Message-ID: | CAAJSdjiAc3FC8qhVSzqytEQyGTHiFBgFNy2Efw8-Kx=sPBH4Ng@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Jul 26, 2016 at 9:05 AM, Melvin Davidson <melvin6925(at)gmail(dot)com>
wrote:
>
>
> On Tue, Jul 26, 2016 at 9:52 AM, Dev Kumkar <devdas(dot)kumkar(at)gmail(dot)com>
> wrote:
>
>> On Tue, Jul 26, 2016 at 6:59 PM, David G. Johnston <
>> david(dot)g(dot)johnston(at)gmail(dot)com> wrote:
>>
>>> Typically this means that given user only having psql, or some other
>>> backend protocol only, connect to the database are they able to execute
>>> arbitrary commands as the user running the PostgreSQL process on the host
>>> system.
>>>
>>> Untrusted langauges are untrusted for specifically this reason. Without
>>> untrusted languages it requires privilege escalation to interact
>>> dynamically with the host operating system.
>>>
>>> Assuming raised privileges it is presently impossible to prevent such
>>> dynamic interaction.
>>>
>>
>> Just thinking if untrusted language like plperlu is not installed then
>> executing arbitrary commands is not possible.
>> So the other possible which you did mention was COPY FROM PROGRAM
>> command, is this understanding correct?
>>
>> Regards...
>>
>
> >COPY FROM PROGRAM
>
> I think at this point it would be most beneficial if
> 1. You stated your version of PostgreSQL & O/S
> 2. Gave a comprehensive explanation of exactly what you are trying to do.
> IOW, What exactly are you trying to prevent users from doing and why?
>
I agree. From my reading at:
https://www.postgresql.org/docs/9.5/static/sql-copy.html the COPY FROM
PROGRAM is only available to a PostgreSQL user who is database superuser.
That, sort of, implies to me that said user is trusted not to do "evil",
but abide by the restrictions place upon him/her/it. In some strange
reality where this is not the case, and I was running on Linux, I would use
SeLinux in enforcing mode to really restrict what the id under which the
server is running could do. That is, a "don't allow unless explicitly
allowed" type policy. Or I'd "sandbox" the PostgreSQL server code using
something like docker, or under in a virtual machine with little access to
other services.
>
>
> --
> *Melvin Davidson*
> I reserve the right to fantasize. Whether or not you
> wish to share my fantasy is entirely up to you.
>
--
Klein bottle for rent -- inquire within.
Maranatha! <><
John McKown
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dev Kumkar | 2016-07-26 15:34:56 | Re: How to stop script executions |
| Previous Message | David G. Johnston | 2016-07-26 14:19:09 | Re: How to stop script executions |