Re: Support a`--with-copy-program` compile flag

Heikki Linnakangas <hlinnaka@iki.fi>

From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Steve Chavez <steve@supabase.io>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2025-11-12T18:23:04Z
Lists: pgsql-hackers
On 12/11/2025 20:07, Steve Chavez wrote:
> Hello hackers,
> 
> Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is 
> dangerous from a security perspective because it allows users to escape 
> from the SQL sandbox and gain shell access on the instance.
> 
> Now there's the `pg_execute_server_program` predefined role to restrict 
> access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains 
> superuser privileges then the predefined role is of no use.
> 
> So I wonder if we could remove the possibility of shell access by 
> providing a `--with-copy-program` compile flag.

If you are superuser, there are many other ways you can gain shell 
access. There is no security boundary there.

See e.g. 
https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/

- Heikki