Re: [PATCH] Add enable_copy_program GUC to control COPY PROGRAM
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Ignat Remizov <ignat980@gmail.com>
Cc: Ashutosh Bapat <ashutosh.bapat.oss@gmail.com>,
pgsql-hackers@lists.postgresql.org
Date: 2025-12-03T15:02:44Z
Lists: pgsql-hackers
Ignat Remizov <ignat980@gmail.com> writes: > pg_execute_server_program is sufficient for non‑superusers, but superusers > always bypass it. In the incident that prompted this, the attacker obtained > superuser via weak/default creds on an exposed instance (common in shared > dev > or staging setups). From there, COPY PROGRAM is the simplest, most common > RCE > vector used by botnets. The GUC is a defense‑in‑depth knob to let an admin > disable that specific path even for superuser, while leaving the feature > available by default for existing users. This argument is nonsense, because if you've got superuser you can just change the GUC's setting again. Not to mention all the *other* ways that a superuser can break out to the OS level. I don't think this proposal adds anything except more complication, which is not a good attribute for security-critical considerations. regards, tom lane