Hi, On 2025-11-12 13:07:27 -0500, Steve Chavez wrote: > Postgres provides the `COPY .. TO/FROM PROGRAM` statement. This is > dangerous from a security perspective because it allows users to escape > from the SQL sandbox and gain shell access on the instance. > > Now there's the `pg_execute_server_program` predefined role to restrict > access to `COPY.. TO/FROM PROGRAM` but if somehow a pg user gains superuser > privileges then the predefined role is of no use. > > So I wonder if we could remove the possibility of shell access by providing > a `--with-copy-program` compile flag.
If a user has superuser, the game is already lost. There are *dozens* of ways to execute arbitrary code at that point. Greetings, Andres Freund
