Re: CVE-2019-9193 about COPY FROM/TO PROGRAM

От: Jonathan S. Katz
Тема: Re: CVE-2019-9193 about COPY FROM/TO PROGRAM
Дата: ,
Msg-id: 6630e8e9-e2a5-fb01-8f00-b8faac502007@postgresql.org
(см: обсуждение, исходный текст)
Ответ на: Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Magnus Hagander)
Список: pgsql-general

Скрыть дерево обсуждения

CVE-2019-9193 about COPY FROM/TO PROGRAM  ("Daniel Verite", )
 Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Tom Lane, )
  Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Magnus Hagander, )
   Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Tom Lane, )
    Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  ("Jonathan S. Katz", )
     Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Michael Paquier, )
      Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  ("Brad Nicholson", )
       Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Andres Freund, )
        Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Magnus Hagander, )
         Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  ("Jonathan S. Katz", )
        Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Jeff Janes, )
         Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Robert Treat, )
       Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Jeremy Schneider, )
        Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Tom Lane, )
         Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Magnus Hagander, )
          Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Andres Freund, )
      Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  ("Jonathan S. Katz", )
     Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Magnus Hagander, )
    Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Alvaro Herrera, )

On 4/2/19 2:08 PM, Magnus Hagander wrote:
> On Tue, Apr 2, 2019 at 5:31 PM Andres Freund <
> <mailto:>> wrote:
>
>     Hi,
>
>     On 2019-04-02 07:35:02 -0500, Brad Nicholson wrote:
>     > Michael Paquier < <mailto:>>
>     wrote on 04/02/2019 01:05:01 AM:
>     >
>     > > From: Michael Paquier <
>     <mailto:>>
>     > > To: "Jonathan S. Katz" <
>     <mailto:>>
>     > > Cc: Tom Lane < <mailto:>>,
>     Magnus Hagander
>     > > < <mailto:>>, Daniel
>     Verite < <mailto:>>,
>     > > pgsql-general <
>     <mailto:>>
>     > > Date: 04/02/2019 01:05 AM
>     > > Subject: Re: CVE-2019-9193 about COPY FROM/TO PROGRAM
>     > >
>     > > On Mon, Apr 01, 2019 at 10:04:32AM -0400, Jonathan S. Katz wrote:
>     > > > +1, though I’d want to see if people get noisier about it
>     before we
>     > rule
>     > > > out an official response.
>     > > >
>     > > > A blog post from a reputable author who can speak to security
>     should
>     > > > be good enough and we can make noise through our various channels.
>     > >
>     > > Need a hand?  Not sure if I am reputable enough though :)
>     > >
>     > > By the way, it could be the occasion to consider an official
>     > > PostgreSQL blog on the main website.  News are not really a model
>     > > adapted for problem analysis and for entering into technical
>     details.
>     >
>     > A blog post would be nice, but it seems to me have something about
>     this
>     > clearly in the manual would be best, assuming it's not there
>     already.  I
>     > took a quick look, and couldn't find anything.
>
>     https://www.postgresql.org/docs/devel/sql-copy.html
>
>     "Note that the command is invoked by the shell, so if you need to pass
>     any arguments to shell command that come from an untrusted source, you
>     must be careful to strip or escape any special characters that might
>     have a special meaning for the shell. For security reasons, it is best
>     to use a fixed command string, or at least avoid passing any user input
>     in it."
>
>     "Similarly, the command specified with PROGRAM is executed directly by
>     the server, not by the client application, must be executable by the
>     PostgreSQL user. COPY naming a file or command is only allowed to
>     database superusers or users who are granted one of the default roles
>     pg_read_server_files, pg_write_server_files, or
>     pg_execute_server_program, since it allows reading or writing any file
>     or running a program that the server has privileges to access."
>
>     Those seem reasonable to me?
>
>
> Agreed, that part can't really be much clearer.
>
> But perhaps we should add a warning box
> to https://www.postgresql.org/docs/11/sql-createrole.html that basically
> says "creating a superuser means they can x, y and z"?

Yeah, I think that's the path forward -- make it much clearer by putting
it in the warning box and just re-stating that this is what it means.

Jonathan


Вложения

В списке pgsql-general по дате сообщения:

От: Andres Freund
Дата:
Сообщение: Re: template0 is having high age of datforzenxid
От: preejackie
Дата:
Сообщение: Re: New LLVM JIT Features