| From: | Ashutosh Bapat <ashutosh(dot)bapat(dot)oss(at)gmail(dot)com> |
|---|---|
| To: | Ignat Remizov <ignat980(at)gmail(dot)com> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: [PATCH] Add enable_copy_program GUC to control COPY PROGRAM |
| Date: | 2025-12-03 14:49:45 |
| Message-ID: | CAExHW5vXLAWwKjHtSCp9wu1VV47E-0kaCEBaJoTdeJpq7PdXEw@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Dec 3, 2025 at 6:07 PM Ignat Remizov <ignat980(at)gmail(dot)com> wrote:
>
> Thanks for looking, Ashutosh.
>
> pg_execute_server_program is sufficient for non‑superusers, but superusers
> always bypass it. In the incident that prompted this, the attacker obtained
> superuser via weak/default creds on an exposed instance (common in shared dev
> or staging setups). From there, COPY PROGRAM is the simplest, most common RCE
> vector used by botnets. The GUC is a defense‑in‑depth knob to let an admin
> disable that specific path even for superuser, while leaving the feature
> available by default for existing users.
>
> The patch just removes the lowest‑hanging RCE primitive when you explicitly
> turn it off (requiring a restart, not ALTER SYSTEM/SET). Default remains on to
> preserve current behavior.
>
Adding a feature which allows a system to run with compromisable
superuser credentials doesn't seem like something the community
usually accepts.
--
Best Wishes,
Ashutosh Bapat
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bertrand Drouvot | 2025-12-03 14:51:25 | Use func(void) for functions with no parameters |
| Previous Message | Álvaro Herrera | 2025-12-03 14:41:09 | Re: Simplify code building the LR conflict messages |