public inbox for [email protected]
help / color / mirror / Atom feed"permission denied to COPY to or from an external program" even with GRANT pg_execute_server_program
4+ messages / 3 participants
[nested] [flat]
* "permission denied to COPY to or from an external program" even with GRANT pg_execute_server_program
@ 2024-06-13 01:31 Chema <[email protected]>
0 siblings, 2 replies; 4+ messages in thread
From: Chema @ 2024-06-13 01:31 UTC (permalink / raw)
To: [email protected]
Dear Postgreezers,
been banging my head against this one for a couple days. Googling and
StackExchange were just as useful, so you're my last hope. I've been
unable to get a non-admin user to run Copy From Program even after granting
pg_execute_server_program, and everything else I could think of. It always
fails with ERROR: permission denied to COPY to or from an external program.
I'll let the code speak by itself. Here's a minimal example that I've
tried in the last official Docker image:
-- Spin a temporal Pg and connect to psql
--docker run --name pg16 -e POSTGRES_PASSWORD=qwer -d postgres:16
--docker exec -ti pg16 psql -U postgres
CREATE TABLE testtable (
id int NOT NULL GENERATED ALWAYS AS IDENTITY,
name text NOT NULL
);
Create Role justintestin noinherit login password 'qwer';
-- Necessary privileges
GRANT CONNECT ON DATABASE postgres TO justintestin;
GRANT USAGE ON SCHEMA public TO justintestin;
GRANT ALL ON ALL TABLES IN SCHEMA public TO justintestin;
-- Apply them to new tables/views created by admin account
ALTER DEFAULT IN SCHEMA public GRANT ALL ON TABLES TO justintestin;
-- Allow Copy From Program... or try to anyway
GRANT pg_execute_server_program TO justintestin;
-- Tests
GRANT ALL ON testtable TO justintestin;
GRANT ALL ON SCHEMA public TO justintestin;
GRANT ALL ON DATABASE postgres to justintestin;
GRANT pg_read_all_data TO justintestin;
GRANT pg_write_all_data TO justintestin;
--Copy works with admin account
Copy testtable(name) From Program 'echo "Buffa Testata"' CSV;
-- COPY 1
--But fails with justintestin
SET role justintestin;
Copy testtable(name) From Program 'echo "Errato Denegato"' CSV;
--SQL Error [42501]: ERROR: permission denied to COPY to or from an
external program
-- Detail: Only roles with privileges of the "pg_execute_server_program"
role may COPY to or from an external program.
--Even tho he's privileged
SELECT rolname FROM pg_roles WHERE
pg_has_role(current_user, oid, 'member');
-- rolname
---------------------------
-- pg_read_all_data
-- pg_write_all_data
-- pg_execute_server_program
-- justintestin
--Insert works
Insert Into testtable ("name") VALUES('Pazzo Intestinato');
--INSERT 0 1
Select * From testtable;
SELECT current_user, session_user;
-- Clean up for new test
SET role postgres;
Drop Table testtable;
Drop Owned By justintestin;
Drop Role justintestin;
What am I missing? (besides a few chunks of hair)
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: "permission denied to COPY to or from an external program" even with GRANT pg_execute_server_program
@ 2024-06-13 01:44 David G. Johnston <[email protected]>
parent: Chema <[email protected]>
1 sibling, 1 reply; 4+ messages in thread
From: David G. Johnston @ 2024-06-13 01:44 UTC (permalink / raw)
To: Chema <[email protected]>; +Cc: [email protected] <[email protected]>
On Wednesday, June 12, 2024, Chema <[email protected]> wrote:
>
> Create Role justintestin noinherit login password 'qwer';
>
>
> GRANT pg_execute_server_program TO justintestin;
>
>
>
Pretty sure since you choose not to allow justintestin to inherit stuff you
will need to issue a “set role to pg_execute_server_program” before you
attempt the copy command.
David J.
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: "permission denied to COPY to or from an external program" even with GRANT pg_execute_server_program
@ 2024-06-13 01:48 Tom Lane <[email protected]>
parent: Chema <[email protected]>
1 sibling, 0 replies; 4+ messages in thread
From: Tom Lane @ 2024-06-13 01:48 UTC (permalink / raw)
To: Chema <[email protected]>; +Cc: [email protected]
Chema <[email protected]> writes:
> been banging my head against this one for a couple days. Googling and
> StackExchange were just as useful, so you're my last hope. I've been
> unable to get a non-admin user to run Copy From Program even after granting
> pg_execute_server_program, and everything else I could think of. It always
> fails with ERROR: permission denied to COPY to or from an external program.
Works for me:
regression=# create user joe;
CREATE ROLE
regression=# \c - joe
You are now connected to database "regression" as user "joe".
regression=> create table jt (t1 text);
CREATE TABLE
regression=> copy jt From Program 'echo "Buffa Testata"' CSV;
ERROR: permission denied to COPY to or from an external program
DETAIL: Only roles with privileges of the "pg_execute_server_program" role may COPY to or from an external program.
HINT: Anyone can COPY to stdout or from stdin. psql's \copy command also works for anyone.
regression=> \c - postgres
You are now connected to database "regression" as user "postgres".
regression=# GRANT pg_execute_server_program TO joe;
GRANT ROLE
regression=# \c - joe
You are now connected to database "regression" as user "joe".
regression=> copy jt From Program 'echo "Buffa Testata"' CSV;
COPY 1
What PG version are you working with?
regards, tom lane
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: "permission denied to COPY to or from an external program" even with GRANT pg_execute_server_program
@ 2024-06-13 01:53 Chema <[email protected]>
parent: David G. Johnston <[email protected]>
0 siblings, 0 replies; 4+ messages in thread
From: Chema @ 2024-06-13 01:53 UTC (permalink / raw)
To: David G. Johnston <[email protected]>; +Cc: [email protected] <[email protected]>
>
>
> Pretty sure since you choose not to allow justintestin to inherit stuff
> you will need to issue a “set role to pg_execute_server_program” before you
> attempt the copy command.
>
> David J.
>
That was it! Blind paranoia bites my rear again. Thanks!
^ permalink raw reply [nested|flat] 4+ messages in thread
end of thread, other threads:[~2024-06-13 01:53 UTC | newest]
Thread overview: 4+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2024-06-13 01:31 "permission denied to COPY to or from an external program" even with GRANT pg_execute_server_program Chema <[email protected]>
2024-06-13 01:44 ` David G. Johnston <[email protected]>
2024-06-13 01:53 ` Chema <[email protected]>
2024-06-13 01:48 ` Tom Lane <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox