Thread

  1. Support a`--with-copy-program` compile flag

    Steve Chavez <steve@supabase.io> — 2025-11-12T18:07:27Z

    Hello hackers,
    
    Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is
    dangerous from a security perspective because it allows users to escape
    from the SQL sandbox and gain shell access on the instance.
    
    Now there's the `pg_execute_server_program` predefined role to restrict
    access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains superuser
    privileges then the predefined role is of no use.
    
    So I wonder if we could remove the possibility of shell access by providing
    a `--with-copy-program` compile flag.
    
    Best regards,
    Steve Chavez
    
  2. Re: Support a`--with-copy-program` compile flag

    Heikki Linnakangas <hlinnaka@iki.fi> — 2025-11-12T18:23:04Z

    On 12/11/2025 20:07, Steve Chavez wrote:
    > Hello hackers,
    > 
    > Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is 
    > dangerous from a security perspective because it allows users to escape 
    > from the SQL sandbox and gain shell access on the instance.
    > 
    > Now there's the `pg_execute_server_program` predefined role to restrict 
    > access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains 
    > superuser privileges then the predefined role is of no use.
    > 
    > So I wonder if we could remove the possibility of shell access by 
    > providing a `--with-copy-program` compile flag.
    
    If you are superuser, there are many other ways you can gain shell 
    access. There is no security boundary there.
    
    See e.g. 
    https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/
    
    - Heikki
    
    
    
    
    
  3. Re: Support a`--with-copy-program` compile flag

    Andres Freund <andres@anarazel.de> — 2025-11-12T18:37:40Z

    Hi,
    
    On 2025-11-12 13:07:27 -0500, Steve Chavez wrote:
    > Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is
    > dangerous from a security perspective because it allows users to escape
    > from the SQL sandbox and gain shell access on the instance.
    > 
    > Now there's the `pg_execute_server_program` predefined role to restrict
    > access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains superuser
    > privileges then the predefined role is of no use.
    > 
    > So I wonder if we could remove the possibility of shell access by providing
    > a `--with-copy-program` compile flag.
    
    If a user has superuser, the game is already lost. There are *dozens* of ways
    to execute arbitrary code at that point.
    
    Greetings,
    
    Andres Freund
    
    
    
    
  4. Re: Support a`--with-copy-program` compile flag

    Nathan Bossart <nathandbossart@gmail.com> — 2025-11-12T19:56:10Z

    On Wed, Nov 12, 2025 at 01:07:27PM -0500, Steve Chavez wrote:
    > So I wonder if we could remove the possibility of shell access by providing
    > a `--with-copy-program` compile flag.
    
    You might be interested in this past discussion for a similar idea:
    
    	https://postgr.es/m/flat/20220520225619.GA876272%40nathanxps13
    
    As others have already pointed out, there's no real boundary between
    database superusers and the OS user running Postgres.  I think many would
    like there to be one, but I'm unaware of any serious efforts in that area,
    and I doubt there's much appetite for it in the community.
    
    -- 
    nathan