Participants
Steve Chavez
Steve Chavez
Heikki Linnakangas
Heikki Linnakangas
Andres Freund
Andres Freund
Nathan Bossart
Nathan Bossart
Attachments

No attachments in this thread

Thread Outline
#1Steve ChavezSteve Chavez
Nov 12, 2025
#2Heikki LinnakangasHeikki Linnakangasto Steve Chavez (#1)
Nov 12, 2025
#3Andres FreundAndres Freundto Steve Chavez (#1)
Nov 12, 2025
#4Nathan BossartNathan Bossartto Steve Chavez (#1)
Nov 12, 2025

Support a`--with-copy-program` compile flag

Started by Steve Chavez2 months ago4 messages
#1Steve Chavez
Steve Chavez
steve@supabase.io

Hello hackers,

Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is
dangerous from a security perspective because it allows users to escape
from the SQL sandbox and gain shell access on the instance.

Now there's the `pg_execute_server_program` predefined role to restrict
access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains superuser
privileges then the predefined role is of no use.

So I wonder if we could remove the possibility of shell access by providing
a `--with-copy-program` compile flag.

Best regards,
Steve Chavez

#2Heikki Linnakangas
Heikki Linnakangas
hlinnaka@iki.fi
In reply to: Steve Chavez (#1)
Re: Support a`--with-copy-program` compile flag

On 12/11/2025 20:07, Steve Chavez wrote:

Hello hackers,

Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is
dangerous from a security perspective because it allows users to escape
from the SQL sandbox and gain shell access on the instance.

Now there's the `pg_execute_server_program` predefined role to restrict
access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains
superuser privileges then the predefined role is of no use.

So I wonder if we could remove the possibility of shell access by
providing a `--with-copy-program` compile flag.

If you are superuser, there are many other ways you can gain shell
access. There is no security boundary there.

See e.g.
https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/

- Heikki

#3Andres Freund
Andres Freund
andres@anarazel.de
In reply to: Steve Chavez (#1)
Re: Support a`--with-copy-program` compile flag

Hi,

On 2025-11-12 13:07:27 -0500, Steve Chavez wrote:

Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is
dangerous from a security perspective because it allows users to escape
from the SQL sandbox and gain shell access on the instance.

Now there's the `pg_execute_server_program` predefined role to restrict
access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains superuser
privileges then the predefined role is of no use.

So I wonder if we could remove the possibility of shell access by providing
a `--with-copy-program` compile flag.

If a user has superuser, the game is already lost. There are *dozens* of ways
to execute arbitrary code at that point.

Greetings,

Andres Freund

#4Nathan Bossart
Nathan Bossart
nathandbossart@gmail.com
In reply to: Steve Chavez (#1)
Re: Support a`--with-copy-program` compile flag

On Wed, Nov 12, 2025 at 01:07:27PM -0500, Steve Chavez wrote:

So I wonder if we could remove the possibility of shell access by providing
a `--with-copy-program` compile flag.

You might be interested in this past discussion for a similar idea:

/messages/by-id/flat/20220520225619.GA876272@nathanxps13

As others have already pointed out, there's no real boundary between
database superusers and the OS user running Postgres. I think many would
like there to be one, but I'm unaware of any serious efforts in that area,
and I doubt there's much appetite for it in the community.

--
nathan

← Back to Topics