Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1v12hg-003woY-HP
	for pgsql-general@arkaria.postgresql.org; Tue, 23 Sep 2025 13:05:08 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1v12hf-005Vf1-2M
	for pgsql-general@arkaria.postgresql.org; Tue, 23 Sep 2025 13:05:07 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <depesz@depesz.com>)
	id 1v12he-005Ves-Nh
	for pgsql-general@lists.postgresql.org; Tue, 23 Sep 2025 13:05:06 +0000
Received: from lana.depesz.com ([88.198.49.178] helo=depesz.com)
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <depesz@depesz.com>)
	id 1v12hc-001wOz-0t
	for pgsql-general@lists.postgresql.org;
	Tue, 23 Sep 2025 13:05:05 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=depesz.com;
	s=20170201; h=In-Reply-To:Content-Type:MIME-Version:References:Reply-To:
	Message-ID:Subject:Cc:To:Sender:From:Date:Content-Transfer-Encoding:
	Content-ID:Content-Description;
	bh=iYy5Ax28vkmbCxL+qtzbHQ9nh998pZU2FYIzSTqlxQg=; b=rPfRiIvZLLYAF8LvcSpbZpBVdE
	ivs/NK2Ij9N1lk6Tpg8vUfzqSnxYbSGKXdH7nrgm69yzPFGujgrzYI3Sswei2B9jLTPJFoEKiYFmL
	90mVLad856fgB5Smii7G4F7XHxQjjZG3NxnjLnVyHK73XEyiZSLpnBhQBS/MZhTISpX4=;
Received: from depesz by depesz.com with local (Exim 4.96)
	(envelope-from <depesz@depesz.com>)
	id 1v12hZ-001O7i-2b;
	Tue, 23 Sep 2025 15:05:01 +0200
Date: Tue, 23 Sep 2025 15:05:01 +0200
From: hubert depesz lubaczewski <depesz@depesz.com>
Sender: depesz@depesz.com
To: Matthias Apitz <guru@unixarea.de>
Cc: pgsql-general@lists.postgresql.org
Subject: Re: executing Linux commands from the PostgreSQL server
Message-ID: <aNKa_SLcqjTCJg6H@depesz.com>
Reply-To: depesz@depesz.com
References: <aNKKlFQ2QL1CDBwu@pureos>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <aNKKlFQ2QL1CDBwu@pureos>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/aNKa_SLcqjTCJg6H%40depesz.com>
Precedence: bulk

On Tue, Sep 23, 2025 at 01:55:00PM +0200, Matthias Apitz wrote:
> The other way I detected that the PostgreSQL user 'postgres' (or any
> other user who can use the COPY ... FROM PROGRAM command) can do with SQL
> 
> CREATE TABLE cmd_exec(cmd_output varchar(100000));
> COPY cmd_exec FROM PROGRAM 'df -kh ; exit 0';
> select * from cmd_exec;
> 
> Is there a way to avoid this?

Don't use superuser. Don't allow logging as superuser from remote
places. Don't grant pg_execute_server_program to anyone.

Best regards,

depesz