On 4/2/19 2:08 PM, Magnus Hagander wrote: > On Tue, Apr 2, 2019 at 5:31 PM Andres Freund <andres@xxxxxxxxxxx > <mailto:andres@xxxxxxxxxxx>> wrote: > > Hi, > > On 2019-04-02 07:35:02 -0500, Brad Nicholson wrote: > > Michael Paquier <michael@xxxxxxxxxxx <mailto:michael@xxxxxxxxxxx>> > wrote on 04/02/2019 01:05:01 AM: > > > > > From: Michael Paquier <michael@xxxxxxxxxxx > <mailto:michael@xxxxxxxxxxx>> > > > To: "Jonathan S. Katz" <jkatz@xxxxxxxxxxxxxx > <mailto:jkatz@xxxxxxxxxxxxxx>> > > > Cc: Tom Lane <tgl@xxxxxxxxxxxxx <mailto:tgl@xxxxxxxxxxxxx>>, > Magnus Hagander > > > <magnus@xxxxxxxxxxxx <mailto:magnus@xxxxxxxxxxxx>>, Daniel > Verite <daniel@xxxxxxxxxxxxxxxx <mailto:daniel@xxxxxxxxxxxxxxxx>>, > > > pgsql-general <pgsql-general@xxxxxxxxxxxxxxxxxxxx > <mailto:pgsql-general@xxxxxxxxxxxxxxxxxxxx>> > > > Date: 04/02/2019 01:05 AM > > > Subject: Re: CVE-2019-9193 about COPY FROM/TO PROGRAM > > > > > > On Mon, Apr 01, 2019 at 10:04:32AM -0400, Jonathan S. Katz wrote: > > > > +1, though I’d want to see if people get noisier about it > before we > > rule > > > > out an official response. > > > > > > > > A blog post from a reputable author who can speak to security > should > > > > be good enough and we can make noise through our various channels. > > > > > > Need a hand? Not sure if I am reputable enough though :) > > > > > > By the way, it could be the occasion to consider an official > > > PostgreSQL blog on the main website. News are not really a model > > > adapted for problem analysis and for entering into technical > details. > > > > A blog post would be nice, but it seems to me have something about > this > > clearly in the manual would be best, assuming it's not there > already. I > > took a quick look, and couldn't find anything. > > https://www.postgresql.org/docs/devel/sql-copy.html > > "Note that the command is invoked by the shell, so if you need to pass > any arguments to shell command that come from an untrusted source, you > must be careful to strip or escape any special characters that might > have a special meaning for the shell. For security reasons, it is best > to use a fixed command string, or at least avoid passing any user input > in it." > > "Similarly, the command specified with PROGRAM is executed directly by > the server, not by the client application, must be executable by the > PostgreSQL user. COPY naming a file or command is only allowed to > database superusers or users who are granted one of the default roles > pg_read_server_files, pg_write_server_files, or > pg_execute_server_program, since it allows reading or writing any file > or running a program that the server has privileges to access." > > Those seem reasonable to me? > > > Agreed, that part can't really be much clearer. > > But perhaps we should add a warning box > to https://www.postgresql.org/docs/11/sql-createrole.html that basically > says "creating a superuser means they can x, y and z"? Yeah, I think that's the path forward -- make it much clearer by putting it in the warning box and just re-stating that this is what it means. Jonathan
Attachment:
signature.asc
Description: OpenPGP digital signature
