| From: | Chema <chema(at)interneta(dot)org> |
|---|---|
| To: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | "permission denied to COPY to or from an external program" even with GRANT pg_execute_server_program |
| Date: | 2024-06-13 01:31:32 |
| Message-ID: | CALdEsqOM2q7bXt1Bo2S_41nHgSjR2_epzm=aHHFoHsQdzB3fqQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Dear Postgreezers,
been banging my head against this one for a couple days. Googling and
StackExchange were just as useful, so you're my last hope. I've been
unable to get a non-admin user to run Copy From Program even after granting
pg_execute_server_program, and everything else I could think of. It always
fails with ERROR: permission denied to COPY to or from an external program.
I'll let the code speak by itself. Here's a minimal example that I've
tried in the last official Docker image:
-- Spin a temporal Pg and connect to psql
--docker run --name pg16 -e POSTGRES_PASSWORD=qwer -d postgres:16
--docker exec -ti pg16 psql -U postgres
CREATE TABLE testtable (
id int NOT NULL GENERATED ALWAYS AS IDENTITY,
name text NOT NULL
);
Create Role justintestin noinherit login password 'qwer';
-- Necessary privileges
GRANT CONNECT ON DATABASE postgres TO justintestin;
GRANT USAGE ON SCHEMA public TO justintestin;
GRANT ALL ON ALL TABLES IN SCHEMA public TO justintestin;
-- Apply them to new tables/views created by admin account
ALTER DEFAULT IN SCHEMA public GRANT ALL ON TABLES TO justintestin;
-- Allow Copy From Program... or try to anyway
GRANT pg_execute_server_program TO justintestin;
-- Tests
GRANT ALL ON testtable TO justintestin;
GRANT ALL ON SCHEMA public TO justintestin;
GRANT ALL ON DATABASE postgres to justintestin;
GRANT pg_read_all_data TO justintestin;
GRANT pg_write_all_data TO justintestin;
--Copy works with admin account
Copy testtable(name) From Program 'echo "Buffa Testata"' CSV;
-- COPY 1
--But fails with justintestin
SET role justintestin;
Copy testtable(name) From Program 'echo "Errato Denegato"' CSV;
--SQL Error [42501]: ERROR: permission denied to COPY to or from an
external program
-- Detail: Only roles with privileges of the "pg_execute_server_program"
role may COPY to or from an external program.
--Even tho he's privileged
SELECT rolname FROM pg_roles WHERE
pg_has_role(current_user, oid, 'member');
-- rolname
---------------------------
-- pg_read_all_data
-- pg_write_all_data
-- pg_execute_server_program
-- justintestin
--Insert works
Insert Into testtable ("name") VALUES('Pazzo Intestinato');
--INSERT 0 1
Select * From testtable;
SELECT current_user, session_user;
-- Clean up for new test
SET role postgres;
Drop Table testtable;
Drop Owned By justintestin;
Drop Role justintestin;
What am I missing? (besides a few chunks of hair)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G. Johnston | 2024-06-13 01:44:40 | Re: "permission denied to COPY to or from an external program" even with GRANT pg_execute_server_program |
| Previous Message | Dragan Milivojević | 2024-06-13 00:54:29 | Is NVMe RAID useless (performance-wise) with PostgreSQL? |