Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1v18HD-004tNV-Us
	for pgsql-general@arkaria.postgresql.org; Tue, 23 Sep 2025 19:02:11 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1v18HB-007V1b-Jr
	for pgsql-general@arkaria.postgresql.org; Tue, 23 Sep 2025 19:02:09 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <rodrigoburgosmella@gmail.com>)
	id 1v18HB-007V1S-7J
	for pgsql-general@lists.postgresql.org; Tue, 23 Sep 2025 19:02:09 +0000
Received: from mail-ej1-x629.google.com ([2a00:1450:4864:20::629])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <rodrigoburgosmella@gmail.com>)
	id 1v18H9-00236B-05
	for pgsql-general@lists.postgresql.org;
	Tue, 23 Sep 2025 19:02:08 +0000
Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-b2ac72dbf48so478383266b.0
        for <pgsql-general@lists.postgresql.org>; Tue, 23 Sep 2025 12:02:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1758654124; x=1759258924; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=1zrc4trIhI7A/YAcYPTxflyeiKSDSFk/XqWexg7hR7U=;
        b=EeWSwRdbolvC2HnsemUqMHDS7n9cpa4L5w6RQkkYZXMr4Pa9vER83nq8kCBQaSZM2A
         Ci7Xm4pCV2XuIDvr0r+ripVz+HbFieqVj2kDUn44HCbTH5Tyttuo+EGvb6M5vtSPtOMd
         nig0jTZClHAFt9J8ZVzgxaPi+WqMWbFsV8nmpVPuTn0DZx0Nwsn0gwaB6whxGmQWhqEo
         w7OcKZKgjI8WdEeUv1NQDITtJfLicbm5pzvnryn2suPdpB1lpIJdvnbENbe5BWS2WBgx
         BkWxkAD66c5w16hfDY2ihw9IhOlYpbu/RZnvPFbNFP3wLyj4Iir5Fepft664OOnd8VMG
         Yqxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1758654124; x=1759258924;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=1zrc4trIhI7A/YAcYPTxflyeiKSDSFk/XqWexg7hR7U=;
        b=LVl4X6lCV39UpqsQpSxypVlKwovnVMevI96fDr8fBYrlTeH9IQ2JDNBEsuuf4H2tbA
         LUvCGww26HSVXVbh2RV4zJ2ZSMxbnBUEIAX/xNZpLDh4BTrNgi2Fi2rAang5r4cdZYsL
         dMcDjNDcm4RenuZByxosVoXyuyDfQpZzZ4kqiUAAWCZ7D+G9sIk79FfqhrCS5rV/gIXt
         YklD5X2slzPVkwDP9Dqz5jd/udsa+EFeH0YrsZIV0C2UlZC2kGnaIDRfnrAk8J47N/lw
         hsPKKMikkgfc9zNGrFNW2neguh/3VzcnIwRX01GuvqDN6c6l5cDZDnGa5ogqu1xmhEcz
         2Lcg==
X-Gm-Message-State: AOJu0Yz/Yzgh3D/CpEH00/j2o96hxXVXOSjRZchxzF54bBfPKoFF7hKd
	HI4wRFbcFb6Q/dZBPI+i1c+OCflJ3f6G43qrgORGmPEkkzPNNk9StGGbnjRnvV9dOcGzw0pu8Pz
	Vg0tUj31qel6H0zozv3iplwbw9Gv7zCS6/KY=
X-Gm-Gg: ASbGncsXylKmJtGzuMsqhwCWTCp4nMj4dJBqmcJCt2enKIgobnGfQ80GydD7HEOz9Qe
	WSjhrkhtnN0Xmx/0adoTP7cICv3rlQ70tFgP+TSkmRuXWasPr8qbnPwzELtiA90mTcMpTirwl1F
	bgHHXpBo5VBl1WorlyIN/LShFCpZcTTK/cETut+v3TC/oSB0h5cHWtDs7ISw/wlFYe39xBYqQCa
	8hiCyk=
X-Google-Smtp-Source: AGHT+IHlgmQu3rWJs9E8BLp5ovKS6YieLe5iYD/HArFlJP9uLjwQ5E2jP+XSRQzDR8xxozI6jxO1xSH4gx/4/FCqNNY=
X-Received: by 2002:a17:907:724c:b0:ae1:a6a0:f2fe with SMTP id
 a640c23a62f3a-b302a36d9admr323846366b.36.1758654124017; Tue, 23 Sep 2025
 12:02:04 -0700 (PDT)
MIME-Version: 1.0
References: <aNKKlFQ2QL1CDBwu@pureos>
In-Reply-To: <aNKKlFQ2QL1CDBwu@pureos>
From: Juan Rodrigo Alejandro Burgos Mella <rodrigoburgosmella@gmail.com>
Date: Tue, 23 Sep 2025 14:01:52 -0500
X-Gm-Features: AS18NWAJvdmsLyhIcbYvSAswrBZwEeFU_vTCpUnt_Agzhq-vsvbDQ5VxM4wjZm8
Message-ID: <CAHbZ42yK+BjWdAM8eezXG12qC4RtmbNo4scYPthXCHS0ynuKQQ@mail.gmail.com>
Subject: Re: executing Linux commands from the PostgreSQL server
To: Matthias Apitz <guru@unixarea.de>
Cc: pgsql-general@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000584ebd063f7c92b6"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAHbZ42yK%2BBjWdAM8eezXG12qC4RtmbNo4scYPthXCHS0ynuKQQ%40mail.gmail.com>
Precedence: bulk

--000000000000584ebd063f7c92b6
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello Matthias, the only way is to remove SUPERUSER privileges from the
user in question.

ALTER ROLE username WITH NOSUPERUSER;

If you do not have sufficient privileges, the database will display the
following error:

ERROR: must be superuser to COPY to or from an external program

Atte.
JRBM

El mar, 23 sept 2025 a las 6:55, Matthias Apitz (<guru@unixarea.de>)
escribi=C3=B3:

>
> Hello,
>
> The other way I detected that the PostgreSQL user 'postgres' (or any
> other user who can use the COPY ... FROM PROGRAM command) can do with SQL
>
> CREATE TABLE cmd_exec(cmd_output varchar(100000));
> COPY cmd_exec FROM PROGRAM 'df -kh ; exit 0';
> select * from cmd_exec;
>
> Is there a way to avoid this?
>
>         matthias
>
> --
> Matthias Apitz, =E2=9C=89 guru@unixarea.de, http://www.unixarea.de/
> +49-176-38902045
> Public GnuPG key: http://www.unixarea.de/key.pub
>
> Annalena Baerbock: "We are fighting a war against Russia ..." (25.1.2023)
>
> I, Matthias, I am not at war with Russia.
> =D0=AF =D0=BD=D0=B5 =D0=B2=D0=BE=D1=8E=D1=8E =D1=81 =D0=A0=D0=BE=D1=81=D1=
=81=D0=B8=D0=B5=D0=B9.
> Ich bin nicht im Krieg mit Russland.
>
>
>

--000000000000584ebd063f7c92b6
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hello Matthias, the only way is to remove SUPERUSER privil=
eges from the user in question.<br><br><div>ALTER ROLE username WITH NOSUPE=
RUSER;</div><div><br></div><div>If you do not have sufficient privileges, t=
he database will display the following error:<br><br>ERROR: must be superus=
er to COPY to or from an external program</div><div><br></div><div>Atte.</d=
iv><div>JRBM</div></div><br><div class=3D"gmail_quote gmail_quote_container=
"><div dir=3D"ltr" class=3D"gmail_attr">El mar, 23 sept 2025 a las 6:55, Ma=
tthias Apitz (&lt;<a href=3D"mailto:guru@unixarea.de">guru@unixarea.de</a>&=
gt;) escribi=C3=B3:<br></div><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1=
ex"><br>
Hello,<br>
<br>
The other way I detected that the PostgreSQL user &#39;postgres&#39; (or an=
y<br>
other user who can use the COPY ... FROM PROGRAM command) can do with SQL<b=
r>
<br>
CREATE TABLE cmd_exec(cmd_output varchar(100000));<br>
COPY cmd_exec FROM PROGRAM &#39;df -kh ; exit 0&#39;;<br>
select * from cmd_exec;<br>
<br>
Is there a way to avoid this?<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 matthias<br>
<br>
-- <br>
Matthias Apitz, =E2=9C=89 <a href=3D"mailto:guru@unixarea.de" target=3D"_bl=
ank">guru@unixarea.de</a>, <a href=3D"http://www.unixarea.de/" rel=3D"noref=
errer" target=3D"_blank">http://www.unixarea.de/</a> +49-176-38902045<br>
Public GnuPG key: <a href=3D"http://www.unixarea.de/key.pub" rel=3D"norefer=
rer" target=3D"_blank">http://www.unixarea.de/key.pub</a><br>
<br>
Annalena Baerbock: &quot;We are fighting a war against Russia ...&quot; (25=
.1.2023)<br>
<br>
I, Matthias, I am not at war with Russia.<br>
=D0=AF =D0=BD=D0=B5 =D0=B2=D0=BE=D1=8E=D1=8E =D1=81 =D0=A0=D0=BE=D1=81=D1=
=81=D0=B8=D0=B5=D0=B9.<br>
Ich bin nicht im Krieg mit Russland.<br>
<br>
<br>
</blockquote></div>

--000000000000584ebd063f7c92b6--