Re: Support a`--with-copy-program` compile flag
Heikki Linnakangas <hlinnaka@iki.fi>
From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Steve Chavez <steve@supabase.io>,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2025-11-12T18:23:04Z
Lists: pgsql-hackers
On 12/11/2025 20:07, Steve Chavez wrote: > Hello hackers, > > Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is > dangerous from a security perspective because it allows users to escape > from the SQL sandbox and gain shell access on the instance. > > Now there's the `pg_execute_server_program` predefined role to restrict > access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains > superuser privileges then the predefined role is of no use. > > So I wonder if we could remove the possibility of shell access by > providing a `--with-copy-program` compile flag. If you are superuser, there are many other ways you can gain shell access. There is no security boundary there. See e.g. https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/ - Heikki