Re: [PATCH] Add enable_copy_program GUC to control COPY PROGRAM

Ignat Remizov <ignat980@gmail.com> writes:
> pg_execute_server_program is sufficient for non‑superusers, but superusers
> always bypass it. In the incident that prompted this, the attacker obtained
> superuser via weak/default creds on an exposed instance (common in shared
> dev
> or staging setups). From there, COPY PROGRAM is the simplest, most common
> RCE
> vector used by botnets. The GUC is a defense‑in‑depth knob to let an admin
> disable that specific path even for superuser, while leaving the feature
> available by default for existing users.

This argument is nonsense, because if you've got superuser you can
just change the GUC's setting again.  Not to mention all the *other*
ways that a superuser can break out to the OS level.  I don't think
this proposal adds anything except more complication, which is not
a good attribute for security-critical considerations.

            regards, tom lane