Re: CVE-2019-9193 about COPY FROM/TO PROGRAM

On 4/2/19 2:08 PM, Magnus Hagander wrote:
> On Tue, Apr 2, 2019 at 5:31 PM Andres Freund <andres(at)anarazel(dot)de
> <mailto:andres(at)anarazel(dot)de>> wrote:
>
> Hi,
>
> On 2019-04-02 07:35:02 -0500, Brad Nicholson wrote:
> > Michael Paquier <michael(at)paquier(dot)xyz <mailto:michael(at)paquier(dot)xyz>>
> wrote on 04/02/2019 01:05:01 AM:
> >
> > > From: Michael Paquier <michael(at)paquier(dot)xyz
> <mailto:michael(at)paquier(dot)xyz>>
> > > To: "Jonathan S. Katz" <jkatz(at)postgresql(dot)org
> <mailto:jkatz(at)postgresql(dot)org>>
> > > Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us <mailto:tgl(at)sss(dot)pgh(dot)pa(dot)us>>,
> Magnus Hagander
> > > <magnus(at)hagander(dot)net <mailto:magnus(at)hagander(dot)net>>, Daniel
> Verite <daniel(at)manitou-mail(dot)org <mailto:daniel(at)manitou-mail(dot)org>>,
> > > pgsql-general <pgsql-general(at)lists(dot)postgresql(dot)org
> <mailto:pgsql-general(at)lists(dot)postgresql(dot)org>>
> > > Date: 04/02/2019 01:05 AM
> > > Subject: Re: CVE-2019-9193 about COPY FROM/TO PROGRAM
> > >
> > > On Mon, Apr 01, 2019 at 10:04:32AM -0400, Jonathan S. Katz wrote:
> > > > +1, though I’d want to see if people get noisier about it
> before we
> > rule
> > > > out an official response.
> > > >
> > > > A blog post from a reputable author who can speak to security
> should
> > > > be good enough and we can make noise through our various channels.
> > >
> > > Need a hand?  Not sure if I am reputable enough though :)
> > >
> > > By the way, it could be the occasion to consider an official
> > > PostgreSQL blog on the main website.  News are not really a model
> > > adapted for problem analysis and for entering into technical
> details.
> >
> > A blog post would be nice, but it seems to me have something about
> this
> > clearly in the manual would be best, assuming it's not there
> already.  I
> > took a quick look, and couldn't find anything.
>
> https://www.postgresql.org/docs/devel/sql-copy.html
>
> "Note that the command is invoked by the shell, so if you need to pass
> any arguments to shell command that come from an untrusted source, you
> must be careful to strip or escape any special characters that might
> have a special meaning for the shell. For security reasons, it is best
> to use a fixed command string, or at least avoid passing any user input
> in it."
>
> "Similarly, the command specified with PROGRAM is executed directly by
> the server, not by the client application, must be executable by the
> PostgreSQL user. COPY naming a file or command is only allowed to
> database superusers or users who are granted one of the default roles
> pg_read_server_files, pg_write_server_files, or
> pg_execute_server_program, since it allows reading or writing any file
> or running a program that the server has privileges to access."
>
> Those seem reasonable to me?
>
>
> Agreed, that part can't really be much clearer.
>
> But perhaps we should add a warning box
> to https://www.postgresql.org/docs/11/sql-createrole.html that basically
> says "creating a superuser means they can x, y and z"?

Yeah, I think that's the path forward -- make it much clearer by putting
it in the warning box and just re-stating that this is what it means.

Jonathan