Thread
-
Support a`--with-copy-program` compile flag
Steve Chavez <steve@supabase.io> — 2025-11-12T18:07:27Z
Hello hackers, Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is dangerous from a security perspective because it allows users to escape from the SQL sandbox and gain shell access on the instance. Now there's the `pg_execute_server_program` predefined role to restrict access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains superuser privileges then the predefined role is of no use. So I wonder if we could remove the possibility of shell access by providing a `--with-copy-program` compile flag. Best regards, Steve Chavez
-
Re: Support a`--with-copy-program` compile flag
Heikki Linnakangas <hlinnaka@iki.fi> — 2025-11-12T18:23:04Z
On 12/11/2025 20:07, Steve Chavez wrote: > Hello hackers, > > Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is > dangerous from a security perspective because it allows users to escape > from the SQL sandbox and gain shell access on the instance. > > Now there's the `pg_execute_server_program` predefined role to restrict > access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains > superuser privileges then the predefined role is of no use. > > So I wonder if we could remove the possibility of shell access by > providing a `--with-copy-program` compile flag. If you are superuser, there are many other ways you can gain shell access. There is no security boundary there. See e.g. https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/ - Heikki
-
Re: Support a`--with-copy-program` compile flag
Andres Freund <andres@anarazel.de> — 2025-11-12T18:37:40Z
Hi, On 2025-11-12 13:07:27 -0500, Steve Chavez wrote: > Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is > dangerous from a security perspective because it allows users to escape > from the SQL sandbox and gain shell access on the instance. > > Now there's the `pg_execute_server_program` predefined role to restrict > access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains superuser > privileges then the predefined role is of no use. > > So I wonder if we could remove the possibility of shell access by providing > a `--with-copy-program` compile flag. If a user has superuser, the game is already lost. There are *dozens* of ways to execute arbitrary code at that point. Greetings, Andres Freund
-
Re: Support a`--with-copy-program` compile flag
Nathan Bossart <nathandbossart@gmail.com> — 2025-11-12T19:56:10Z
On Wed, Nov 12, 2025 at 01:07:27PM -0500, Steve Chavez wrote: > So I wonder if we could remove the possibility of shell access by providing > a `--with-copy-program` compile flag. You might be interested in this past discussion for a similar idea: https://postgr.es/m/flat/20220520225619.GA876272%40nathanxps13 As others have already pointed out, there's no real boundary between database superusers and the OS user running Postgres. I think many would like there to be one, but I'm unaware of any serious efforts in that area, and I doubt there's much appetite for it in the community. -- nathan