On Wed, Aug 17, 2005 at 09:22:16 +0100,
Bernard <bht@actrix.gen.nz> wrote:
>
> The following bug has been logged online:
This isn't a bug and you really should have asked this question on
another list. I am moving the discussion over to the general list.
>
> Bug reference: 1830
> Logged by: Bernard
> Email address: bht@actrix.gen.nz
> PostgreSQL version: 8.0.3
> Operating system: Linux RedHat 9
> Description: Non-super-user must be able to copy from a file
> Details:
>
> On the attempt to bulk load a table from a file that is owned by the
> non-superuser current database user, the following error message is
> printed:
>
> "must be superuser to COPY to or from a file"
>
> What is the reason for this limitation?
This is described in the documentation for the copy command.
>
> It can't justifiably be for security reasons because if a web application
> such as tomcat requires to bulk load tables automatically on a regular basis
> then one would be forced to let the web application connect as superuser,
> which is very bad for security.
No, because you can have the app read the file and then pass the data to
the copy command. To do this you use STDIN as the file name.
>
> In MySQL bulk loading works for all users.
You can use the \copy command in psql to load data from files.
>
> We need a Postgresql solution.
>
> We have a web application where both MySQL and Postresql are supported. With
> Postgresql, the application would have to connect as user postgres. We have
> to explain this security risk to our clients very clearly.
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: Don't 'kill -9' the postmaster
