Hi,
On 2025-11-12 13:07:27 -0500, Steve Chavez wrote:
> Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is
> dangerous from a security perspective because it allows users to escape
> from the SQL sandbox and gain shell access on the instance.
>
> Now there's the `pg_execute_server_program` predefined role to restrict
> access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains superuser
> privileges then the predefined role is of no use.
>
> So I wonder if we could remove the possibility of shell access by providing
> a `--with-copy-program` compile flag.
If a user has superuser, the game is already lost. There are *dozens* of ways
to execute arbitrary code at that point.
Greetings,
Andres Freund