Обсуждение: Support a`--with-copy-program` compile flag
Hello hackers,
Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is dangerous from a security perspective because it allows users to escape from the SQL sandbox and gain shell access on the instance.
Now there's the `pg_execute_server_program` predefined role to restrict access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains superuser privileges then the predefined role is of no use.
So I wonder if we could remove the possibility of shell access by providing a `--with-copy-program` compile flag.
Best regards,
Steve Chavez
On 12/11/2025 20:07, Steve Chavez wrote: > Hello hackers, > > Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is > dangerous from a security perspective because it allows users to escape > from the SQL sandbox and gain shell access on the instance. > > Now there's the `pg_execute_server_program` predefined role to restrict > access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains > superuser privileges then the predefined role is of no use. > > So I wonder if we could remove the possibility of shell access by > providing a `--with-copy-program` compile flag. If you are superuser, there are many other ways you can gain shell access. There is no security boundary there. See e.g. https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/ - Heikki
Hi, On 2025-11-12 13:07:27 -0500, Steve Chavez wrote: > Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is > dangerous from a security perspective because it allows users to escape > from the SQL sandbox and gain shell access on the instance. > > Now there's the `pg_execute_server_program` predefined role to restrict > access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains superuser > privileges then the predefined role is of no use. > > So I wonder if we could remove the possibility of shell access by providing > a `--with-copy-program` compile flag. If a user has superuser, the game is already lost. There are *dozens* of ways to execute arbitrary code at that point. Greetings, Andres Freund
On Wed, Nov 12, 2025 at 01:07:27PM -0500, Steve Chavez wrote:
> So I wonder if we could remove the possibility of shell access by providing
> a `--with-copy-program` compile flag.
You might be interested in this past discussion for a similar idea:
https://postgr.es/m/flat/20220520225619.GA876272%40nathanxps13
As others have already pointed out, there's no real boundary between
database superusers and the OS user running Postgres. I think many would
like there to be one, but I'm unaware of any serious efforts in that area,
and I doubt there's much appetite for it in the community.
--
nathan