| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Sameer Kumar <sameer(dot)kumar(at)ashnik(dot)com> |
| Cc: | Dev Kumkar <devdas(dot)kumkar(at)gmail(dot)com>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: How to stop script executions |
| Date: | 2016-07-26 13:29:21 |
| Message-ID: | CAKFQuwaz9+QR+tLc59RWG7a5Y8HVfwQjQaDkKq+n1WfU5n1iSA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Jul 26, 2016 at 9:21 AM, Sameer Kumar <sameer(dot)kumar(at)ashnik(dot)com>
wrote:
>
>> Yeah these extensions are not present, are their any chances of running
>> OS commands from database?
>>
>
> What do you mean by "from database"? I think you need to lay down your
> requirement and goal more clearly.
>
>
Typically this means that given user only having psql, or some other
backend protocol only, connect to the database are they able to execute
arbitrary commands as the user running the PostgreSQL process on the host
system.
Untrusted langauges are untrusted for specifically this reason. Without
untrusted languages it requires privilege escalation to interact
dynamically with the host operating system.
Assuming raised privileges it is presently impossible to prevent such
dynamic interaction.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dev Kumkar | 2016-07-26 13:48:00 | Re: How to stop script executions |
| Previous Message | David G. Johnston | 2016-07-26 13:24:45 | Re: How to stop script executions |