Re: About "ERROR: must be *superuser* to COPY to or from a file"

From: Greg Stark <gsstark(at)mit(dot)edu>
To: Martijn van Oosterhout <kleptog(at)svana(dot)org>
Cc: Greg Stark <gsstark(at)mit(dot)edu>, Douglas McNaught <doug(at)mcnaught(dot)org>, emilu(at)cs(dot)concordia(dot)ca, pgsql-general(at)postgresql(dot)org
Subject: Re: About "ERROR: must be *superuser* to COPY to or from a file"
Date: 2005-08-27 19:53:49
Message-ID: 87r7cf6trm.fsf@stark.xeocode.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:

> On Sat, Aug 27, 2005 at 01:20:29AM -0400, Greg Stark wrote:
> > For that matter it might be handy to be able to grant permission to regular
> > users to load or dump files to arbitrary locations. The security consequences
> > would have to be documented but I don't think they're so bad that you can say
> > nobody should ever be granting the privilege.
>
> Well, they would have access to every world readable file on the
> system, ie /etc, /usr, /lib, ... most files are world readable. There's
> a lot of discussion about this, yet no-one has demonstrated that COPY
> FROM STDIN isn't just as good and avoids all the issues entirely.

Well they're world-readable. So, uh, huh?

> Checking UIDs is just a hack which would only make a difference if
> you're on the same machine as the server which by definition is the
> situation with the least to gain. Copying over a UNIX domain socket is
> hardly likely to be a bottleneck.

You keep saying that. Why do you think so? Every bit of data has to be read in
by one process, copied into the kernel again, a context switch has to happen,
and then it has to be copied out of the kernel into another process, and then
written back again by the second process. If the machine is cpu-bound it will
cut its throughput dramatically. Context switches are expensive.

You would have to have a fast disk subsystem for this to really be an issue,
and be copying a lot of data for the slowdown to be really annoying. But there
are plenty of applications that fit that exact description. Data ware houses
spend most of their waking hours loading huge data sets using very large and
very fast raid arrays.

If you think checking uid is a hack (I don't see why it's at all hackish) then
I would suggest the really clean way of handling this is to simply pass the fd
along the unix domain socket. But it's not supported on nearly as many
variants of unix as simply checking the uid.

--
greg

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2005-08-27 19:55:23 Re: Dumb question about 8.1 beta test
Previous Message Greg Stark 2005-08-27 19:34:06 Re: POSS. FEATURE REQ: "Dynamic" Views