On Sat, Jun 25, 2022 at 12:08:13AM +0200, Hannu Krosing wrote: > As part of ongoing work on PostgreSQL security hardening we have > added a capability to disable all file system access (COPY TO/FROM > [PROGRAM] <filename>, pg_*file*() functions, lo_*() functions > accessing files, etc) in a way that can not be re-enabled without > already having access to the file system. That is via a flag which can > be set only in postgresql.conf or on the command line. > > Currently the file system access is controlled via being a SUPREUSER > or having the pg_read_server_files, pg_write_server_files and > pg_execute_server_program roles. The problem with this approach is > that it will not stop an attacker who has managed to become the > PostgreSQL SUPERUSER from breaking out of the server to reading and > writing files and running programs in the surrounding container, VM or > OS.
There was some recent discussion in this area you might be interested in [0]. [0] https://postgr.es/m/20220520225619.GA876272%40nathanxps13 -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
