| From: | Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> |
|---|---|
| To: | Kirill Reshke <reshkekirill(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Nathan Bossart <nathandbossart(at)gmail(dot)com>, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, Ignat Remizov <ignat980(at)gmail(dot)com>, Ashutosh Bapat <ashutosh(dot)bapat(dot)oss(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: [PATCH] Add enable_copy_program GUC to control COPY PROGRAM |
| Date: | 2025-12-05 10:41:00 |
| Message-ID: | CAGECzQSSeAesqZE0P1P=FmVJ-7ee=yfQiLqECKiQVmjo8v5FzQ@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, 4 Dec 2025 at 19:49, Kirill Reshke <reshkekirill(at)gmail(dot)com> wrote:
> > Good question. I think the easiest would be to always disallow FROM
> > PROGRAM (by default) instead of only when connecting over the network.
>
> How? with GUC?
I meant, sidestep this problem completely by not doing my idea of
still allowing FROM PROGRAM over unix connections. And instead
disallowing it for any connections.
> > Another option would be to have dblink (and pg_fdw) tell postgres (wih
> > e.g. a GUC being set in the StartupMessage) that it should be
> > considered a remote connection for these purposes.
>
> Again, if we are using GUC to tell somebody something about security,
> this doesn't work. Superuser can easily redefine any GUC.
If you mark this GUC as PGC_BACKEND it cannot be changed with SET
commands, not even by superusers.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Álvaro Herrera | 2025-12-05 10:44:10 | Re: bt_index_parent_check and concurrently build indexes |
| Previous Message | Hannu Krosing | 2025-12-05 10:32:43 | Re: making tid and HOTness of UPDATE available to logical decoding plugins |