Search Postgresql Archives

Re: CVE-2019-9193 about COPY FROM/TO PROGRAM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Magnus Hagander <magnus@xxxxxxxxxxxx> writes:
> On Sat, Mar 30, 2019 at 10:16 PM Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
>> Yeah; this is supposing that there is a security boundary between
>> Postgres superusers and the OS account running the server, which
>> there is not.  We could hardly have features like untrusted PLs
>> if we were trying to maintain such a boundary.

> I wonder if we need to prepare some sort of official response to that.
> I was considering writing up a blog post about it, but maybe we need
> something more official?

Blog post seems like a good idea.  As for an "official" response,
it strikes me that maybe we need better documentation.  I'm not sure
that we spell out anywhere what we think the security model is.
There are plenty of scattered warnings about unsafe things, but
if there's any specific statement equivalent to what I just
wrote above, I can't remember where.

(By the same token, I'm not sure where would be a good place
to put it ...)

			regards, tom lane





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux