| From: | Dev Kumkar <devdas(dot)kumkar(at)gmail(dot)com> |
|---|---|
| To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
| Cc: | Sameer Kumar <sameer(dot)kumar(at)ashnik(dot)com>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: How to stop script executions |
| Date: | 2016-07-26 13:52:25 |
| Message-ID: | CALSLE1P8kXWN02o8SobYFXGY-dk4Kmd4OFJcWfCAv=S3As=AuQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Jul 26, 2016 at 6:59 PM, David G. Johnston <
david(dot)g(dot)johnston(at)gmail(dot)com> wrote:
> Typically this means that given user only having psql, or some other
> backend protocol only, connect to the database are they able to execute
> arbitrary commands as the user running the PostgreSQL process on the host
> system.
>
> Untrusted langauges are untrusted for specifically this reason. Without
> untrusted languages it requires privilege escalation to interact
> dynamically with the host operating system.
>
> Assuming raised privileges it is presently impossible to prevent such
> dynamic interaction.
>
Just thinking if untrusted language like plperlu is not installed then
executing arbitrary commands is not possible.
So the other possible which you did mention was COPY FROM PROGRAM command,
is this understanding correct?
Regards...
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2016-07-26 14:04:38 | Re: RE: [GENERAL] Re: [GENERAL] A simple extension immitating pg_notify |
| Previous Message | Dev Kumkar | 2016-07-26 13:48:00 | Re: How to stop script executions |