On 11/8/22 17:03, Laurenz Albe wrote: > On Tue, 2022-11-08 at 04:14 +0000, Jan Bilek wrote: > >> I know it is not exactly what you suggested (and agreeing a lot with our >> app user shouldn't be running as superuser), but as all other inputs >> from our application come sanitized through bind and this is the only >> way where user can send an explicit command in there - I think it should do! >> >> Please let me know if you approve. > I strongly disapprove, and any security audit you pass with such a setup > is worthless. I repeat: the application does not need to connect with > a superuser. > > I don't understand what you want to demonstrate with the code samples, or > what you mean when you say that "the user can send an explicit command". > > Yours, > Laurenz Albe Interesting. I agree that our app shouldn't need superuser, but that would mean that some ... you made me give it some serious though here. Installation itself is happening under elevated (root) rights. We are using the postgres account for moving in all what's needed (e.g. that plpython3u extension). Walking though our code for most of the day, I can't see why that superuser would be really needed. Those plpython3u functions are wrapped up under the hood already. I'm sending that in to check if our QA will find anything. Thanks for being stubborn about this! Cheers, Jan -- Jan Bilek - CTO at EFTlab Pty Ltd.