Re: [PATCH] Add enable_copy_program GUC to control COPY PROGRAM

Nathan Bossart <nathandbossart@gmail.com> writes:
> On Wed, Dec 03, 2025 at 11:35:07AM -0800, Jacob Champion wrote:
>> Could initdb be made to instead give you a user with the power to
>> manage almost all of the database (i.e. pg_maintain/pg_monitor), but
>> without the power to touch anything outside it or execute arbitrary
>> code? When you needed true superuser, you could still unlock it from
>> the outside, and at that point it shouldn't be surprising that you can
>> escape.

> IIRC there's been some discussion about that over the years, including in
> my old thread about compiling out untrusted languages [0].

I think the idea of putting training wheels on superuser is pretty
hopeless; there's too many ways in which that allows escape to the OS,
and even if we could close them all, the resulting system would be
very much less useful than today.

The right thing is to move people away from using superuser so much.
Compare this to the Unix root situation.  The OS guys have not tried
to cripple root, but they have started to offer setups where there's
no way to log in as root.  And there's protections like sshd not
allowing login as root (with its default settings anyway).  I like
Jacob's idea of requiring some external input, eg a config file
change, before you could become superuser.  I don't necessarily
want to be forced to operate in that world, but we could make it
easier to set up installations that have such restrictions.

            regards, tom lane