On Wed, Dec 3, 2025 at 6:07 PM Ignat Remizov <[email protected]> wrote: > > Thanks for looking, Ashutosh. > > pg_execute_server_program is sufficient for non‑superusers, but superusers > always bypass it. In the incident that prompted this, the attacker obtained > superuser via weak/default creds on an exposed instance (common in shared dev > or staging setups). From there, COPY PROGRAM is the simplest, most common RCE > vector used by botnets. The GUC is a defense‑in‑depth knob to let an admin > disable that specific path even for superuser, while leaving the feature > available by default for existing users. > > The patch just removes the lowest‑hanging RCE primitive when you explicitly > turn it off (requiring a restart, not ALTER SYSTEM/SET). Default remains on to > preserve current behavior. >
Adding a feature which allows a system to run with compromisable superuser credentials doesn't seem like something the community usually accepts. -- Best Wishes, Ashutosh Bapat
