| From: | Andres Freund <andres(at)anarazel(dot)de> |
|---|---|
| To: | Steve Chavez <steve(at)supabase(dot)io> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Support a`--with-copy-program` compile flag |
| Date: | 2025-11-12 18:37:40 |
| Message-ID: | vib6wgj6qqkonz6zzm5n6eckbrfde554dkydrkbek7tenrtzqw@kox7osxq6b6n |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
On 2025-11-12 13:07:27 -0500, Steve Chavez wrote:
> Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is
> dangerous from a security perspective because it allows users to escape
> from the SQL sandbox and gain shell access on the instance.
>
> Now there's the `pg_execute_server_program` predefined role to restrict
> access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains superuser
> privileges then the predefined role is of no use.
>
> So I wonder if we could remove the possibility of shell access by providing
> a `--with-copy-program` compile flag.
If a user has superuser, the game is already lost. There are *dozens* of ways
to execute arbitrary code at that point.
Greetings,
Andres Freund
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2025-11-12 18:41:58 | Re: Remaining dependency on setlocale() |
| Previous Message | Heikki Linnakangas | 2025-11-12 18:23:04 | Re: Support a`--with-copy-program` compile flag |