On 12/11/2025 20:07, Steve Chavez wrote:
Hello hackers,
Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is
dangerous from a security perspective because it allows users to escape
from the SQL sandbox and gain shell access on the instance.
Now there's the `pg_execute_server_program` predefined role to restrict
access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains
superuser privileges then the predefined role is of no use.
So I wonder if we could remove the possibility of shell access by
providing a `--with-copy-program` compile flag.
If you are superuser, there are many other ways you can gain shell
access. There is no security boundary there.
See e.g.
https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/
- Heikki
