Re: [PATCH] Add enable_copy_program GUC to control COPY PROGRAM
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Nathan Bossart <nathandbossart@gmail.com>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>,
Ignat Remizov <ignat980@gmail.com>,
Ashutosh Bapat <ashutosh.bapat.oss@gmail.com>,
pgsql-hackers@lists.postgresql.org
Date: 2025-12-03T21:01:23Z
Lists: pgsql-hackers
Nathan Bossart <nathandbossart@gmail.com> writes: > On Wed, Dec 03, 2025 at 11:35:07AM -0800, Jacob Champion wrote: >> Could initdb be made to instead give you a user with the power to >> manage almost all of the database (i.e. pg_maintain/pg_monitor), but >> without the power to touch anything outside it or execute arbitrary >> code? When you needed true superuser, you could still unlock it from >> the outside, and at that point it shouldn't be surprising that you can >> escape. > IIRC there's been some discussion about that over the years, including in > my old thread about compiling out untrusted languages [0]. I think the idea of putting training wheels on superuser is pretty hopeless; there's too many ways in which that allows escape to the OS, and even if we could close them all, the resulting system would be very much less useful than today. The right thing is to move people away from using superuser so much. Compare this to the Unix root situation. The OS guys have not tried to cripple root, but they have started to offer setups where there's no way to log in as root. And there's protections like sshd not allowing login as root (with its default settings anyway). I like Jacob's idea of requiring some external input, eg a config file change, before you could become superuser. I don't necessarily want to be forced to operate in that world, but we could make it easier to set up installations that have such restrictions. regards, tom lane