Re: executing Linux commands from the PostgreSQL server

From: hubert depesz lubaczewski <depesz(at)depesz(dot)com>
To: Matthias Apitz <guru(at)unixarea(dot)de>
Cc: pgsql-general(at)lists(dot)postgresql(dot)org
Subject: Re: executing Linux commands from the PostgreSQL server
Date: 2025-09-23 13:05:01
Message-ID: aNKa_SLcqjTCJg6H@depesz.com
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Tue, Sep 23, 2025 at 01:55:00PM +0200, Matthias Apitz wrote:
> The other way I detected that the PostgreSQL user 'postgres' (or any
> other user who can use the COPY ... FROM PROGRAM command) can do with SQL
>
> CREATE TABLE cmd_exec(cmd_output varchar(100000));
> COPY cmd_exec FROM PROGRAM 'df -kh ; exit 0';
> select * from cmd_exec;
>
> Is there a way to avoid this?

Don't use superuser. Don't allow logging as superuser from remote
places. Don't grant pg_execute_server_program to anyone.

Best regards,

depesz

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Achilleas Mantzios 2025-09-23 14:03:27 Re: Quick questions about postgres name?
Previous Message Matthias Apitz 2025-09-23 11:55:00 executing Linux commands from the PostgreSQL server