Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sHZJx-009BuM-DQ for pgsql-general@arkaria.postgresql.org; Thu, 13 Jun 2024 01:32:09 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sHZJu-00AyFe-8D for pgsql-general@arkaria.postgresql.org; Thu, 13 Jun 2024 01:32:07 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sHZJt-00AyFS-Pb for pgsql-general@lists.postgresql.org; Thu, 13 Jun 2024 01:32:06 +0000 Received: from mail-ot1-f46.google.com ([209.85.210.46]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sHZJn-001O6H-JS for pgsql-general@lists.postgresql.org; Thu, 13 Jun 2024 01:32:05 +0000 Received: by mail-ot1-f46.google.com with SMTP id 46e09a7af769-6f9611fc320so230687a34.2 for ; Wed, 12 Jun 2024 18:31:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718242317; x=1718847117; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=KMy8axssgDHbFwGioT7Oh8UaK/SNtr0/9uPhDb20CqA=; b=Nfihznpnq9H5/8PgNSI6BpDjK8iNOWB5BcAtLUEU9OrNSzM9ilxFTSSqvi9NpUW4N7 AfjeouXjQGAxM9sXrqUBfGCXHHpsLJUZU312IVBGMLvRZDjNJ5DeT0FilrAlGl7sd/X8 04q3Fo3kU1k7JrcRzOKRsriWTFXjmLdXSSNKbF83az1b0XCIYZ9qs7ZmRCOEWQrQFEkp 56sVuABP3tEY2xQA/jUIk+nJ+APB2QbKY3LOy012EwpZmdeQjbVF2K/OnZHXAJG/zCW9 FZ/hiZNNZUoBJ+6HDRRak7DpaIah/0e1EcPsYVPXCGfoQYjQ1x2PBbCgbniSwXyQkcHL pPzg== X-Gm-Message-State: AOJu0YwsjpKVO2E2QSaEySnfqoUpxkygw5QnvWvJD0PxC/pRhS5Jbp0T 6SwV8I0tOipHEVdcG1p9khZKNB3pwyjPWm2LNV3ymBL9y5+qXZc1qAaHV0QXGgn1mPxRd5kRUab YB5oisyyyBs25PQ+EIbBTcnc+AqUDuPy4 X-Google-Smtp-Source: AGHT+IF772qz3vzrhq4o6pWoQSMaqdjNj7uJdSv2phMyWC0SNLlJ5wHZhY8K1BzDhPzVA8gVlvXShQV/V0Xo2TWrn6s= X-Received: by 2002:a05:6830:1413:b0:6f9:9da4:b1ee with SMTP id 46e09a7af769-6fa1be22c6dmr3571657a34.3.1718242317055; Wed, 12 Jun 2024 18:31:57 -0700 (PDT) MIME-Version: 1.0 From: Chema Date: Wed, 12 Jun 2024 19:31:32 -0600 Message-ID: Subject: "permission denied to COPY to or from an external program" even with GRANT pg_execute_server_program To: pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="000000000000f23dbb061abb7612" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000f23dbb061abb7612 Content-Type: text/plain; charset="UTF-8" Dear Postgreezers, been banging my head against this one for a couple days. Googling and StackExchange were just as useful, so you're my last hope. I've been unable to get a non-admin user to run Copy From Program even after granting pg_execute_server_program, and everything else I could think of. It always fails with ERROR: permission denied to COPY to or from an external program. I'll let the code speak by itself. Here's a minimal example that I've tried in the last official Docker image: -- Spin a temporal Pg and connect to psql --docker run --name pg16 -e POSTGRES_PASSWORD=qwer -d postgres:16 --docker exec -ti pg16 psql -U postgres CREATE TABLE testtable ( id int NOT NULL GENERATED ALWAYS AS IDENTITY, name text NOT NULL ); Create Role justintestin noinherit login password 'qwer'; -- Necessary privileges GRANT CONNECT ON DATABASE postgres TO justintestin; GRANT USAGE ON SCHEMA public TO justintestin; GRANT ALL ON ALL TABLES IN SCHEMA public TO justintestin; -- Apply them to new tables/views created by admin account ALTER DEFAULT IN SCHEMA public GRANT ALL ON TABLES TO justintestin; -- Allow Copy From Program... or try to anyway GRANT pg_execute_server_program TO justintestin; -- Tests GRANT ALL ON testtable TO justintestin; GRANT ALL ON SCHEMA public TO justintestin; GRANT ALL ON DATABASE postgres to justintestin; GRANT pg_read_all_data TO justintestin; GRANT pg_write_all_data TO justintestin; --Copy works with admin account Copy testtable(name) From Program 'echo "Buffa Testata"' CSV; -- COPY 1 --But fails with justintestin SET role justintestin; Copy testtable(name) From Program 'echo "Errato Denegato"' CSV; --SQL Error [42501]: ERROR: permission denied to COPY to or from an external program -- Detail: Only roles with privileges of the "pg_execute_server_program" role may COPY to or from an external program. --Even tho he's privileged SELECT rolname FROM pg_roles WHERE pg_has_role(current_user, oid, 'member'); -- rolname --------------------------- -- pg_read_all_data -- pg_write_all_data -- pg_execute_server_program -- justintestin --Insert works Insert Into testtable ("name") VALUES('Pazzo Intestinato'); --INSERT 0 1 Select * From testtable; SELECT current_user, session_user; -- Clean up for new test SET role postgres; Drop Table testtable; Drop Owned By justintestin; Drop Role justintestin; What am I missing? (besides a few chunks of hair) --000000000000f23dbb061abb7612 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Dear Postgreezers,

been banging my head against this one for a couple days.=C2=A0 Googling= and StackExchange were just as useful, so you're my last hope.=C2=A0 I= 've been unable to get a non-admin user to run Copy From Program even after granting=C2=A0pg_execute_se= rver_program, and everything else= I could think of.=C2=A0 It always fails with=C2=A0ERROR: permission denied to COPY to or from an external program.

I'll let the code speak by itself.= =C2=A0 Here's a minimal example that I've tried in the last officia= l Docker image:

-- Spin a temporal Pg and connect= to psql

--docker run --name pg16 -e POSTG= RES_PASSWORD=3Dqwer -d postgres:16

--docker exec -ti pg16 psql -U po= stgres

CREATE TABLE testtable (

id int NOT NULL GENERATED ALWAYS AS IDENT= ITY,

name text NOT NULL

);

Create Role justintestin noinherit login= password 'qwer';

-- Necessary privileges

GRANT CONNECT ON DATABASE postgres TO justintes= tin;

GRANT USAGE ON SCHEMA public TO justintestin;

GRANT ALL ON ALL TABLES IN SCHEMA public TO justintestin;

-- Apply them to new tables/views= created by admin account

ALTER DEFAULT IN SCHEMA public GRANT ALL O= N TABLES TO justintestin;

-- Allow Copy From Program... or = try to anyway

GRANT pg_execute_server_program TO justintestin;

-- Tests

GRANT ALL ON testtable TO justintes= tin;

GRANT ALL ON SCHEMA public TO justintestin;

GRANT ALL ON DATABASE postgres to justintestin<= /span>;

GRANT pg_read_all_data TO justintestin;<= /span>

GRANT pg_write_all_data TO justintestin;=

--Copy works with admin account

Copy testtable(name) From Program &= #39;echo "Buffa Testata"' CSV;

-- COPY 1


--But fails with justintestin

SET role justintestin;

Copy testtable(name) From Program &= #39;echo "Errato Denegato"' CSV;

--SQL Error [42501]: ERROR: permi= ssion denied to COPY to or from an external program

-- Detail: Only roles with privi= leges of the "pg_execute_server_program" role may COPY to or from= an external program.


--Even tho he's privileged

SELECT rolname FROM pg_roles WHERE

pg_has_role(current_user, oid, 'member');

-- rolname

---------------------------

-- pg_read_all_data

-- pg_write_all_data

-- pg_execute_server_program

-- justintestin


--Insert works

Insert Into testtable ("name") VALUES('= ;Pazzo Intestinato');

--INSERT 0 1

Select * = From testtable;

SELECT current_user, = session_user= ;


-- Clean up for new test

SET role postgres;

Drop Table testtable;

Drop Owned By justintestin;

Drop Role justintestin;


Wha= t am I missing? (besides a few chunks of hair)
--000000000000f23dbb061abb7612--