On Tue, Apr 2, 2019 at 5:31 PM Andres Freund <andres@xxxxxxxxxxx> wrote:
Hi,
On 2019-04-02 07:35:02 -0500, Brad Nicholson wrote:
> Michael Paquier <michael@xxxxxxxxxxx> wrote on 04/02/2019 01:05:01 AM:
>
> > From: Michael Paquier <michael@xxxxxxxxxxx>
> > To: "Jonathan S. Katz" <jkatz@xxxxxxxxxxxxxx>
> > Cc: Tom Lane <tgl@xxxxxxxxxxxxx>, Magnus Hagander
> > <magnus@xxxxxxxxxxxx>, Daniel Verite <daniel@xxxxxxxxxxxxxxxx>,
> > pgsql-general <pgsql-general@xxxxxxxxxxxxxxxxxxxx>
> > Date: 04/02/2019 01:05 AM
> > Subject: Re: CVE-2019-9193 about COPY FROM/TO PROGRAM
> >
> > On Mon, Apr 01, 2019 at 10:04:32AM -0400, Jonathan S. Katz wrote:
> > > +1, though I’d want to see if people get noisier about it before we
> rule
> > > out an official response.
> > >
> > > A blog post from a reputable author who can speak to security should
> > > be good enough and we can make noise through our various channels.
> >
> > Need a hand? Not sure if I am reputable enough though :)
> >
> > By the way, it could be the occasion to consider an official
> > PostgreSQL blog on the main website. News are not really a model
> > adapted for problem analysis and for entering into technical details.
>
> A blog post would be nice, but it seems to me have something about this
> clearly in the manual would be best, assuming it's not there already. I
> took a quick look, and couldn't find anything.
https://www.postgresql.org/docs/devel/sql-copy.html
"Note that the command is invoked by the shell, so if you need to pass
any arguments to shell command that come from an untrusted source, you
must be careful to strip or escape any special characters that might
have a special meaning for the shell. For security reasons, it is best
to use a fixed command string, or at least avoid passing any user input
in it."
"Similarly, the command specified with PROGRAM is executed directly by
the server, not by the client application, must be executable by the
PostgreSQL user. COPY naming a file or command is only allowed to
database superusers or users who are granted one of the default roles
pg_read_server_files, pg_write_server_files, or
pg_execute_server_program, since it allows reading or writing any file
or running a program that the server has privileges to access."
Those seem reasonable to me?
Agreed, that part can't really be much clearer.
But perhaps we should add a warning box to https://www.postgresql.org/docs/11/sql-createrole.html that basically says "creating a superuser means they can x, y and z"?