Re: Hardening PostgreSQL via (optional) ban on local file system access - Mailing list pgsql-hackers

From Nathan Bossart
Subject Re: Hardening PostgreSQL via (optional) ban on local file system access
Date
Msg-id 20220624230647.GA212143@nathanxps13
Whole thread Raw
In response to Hardening PostgreSQL via (optional) ban on local file system access  (Hannu Krosing <hannuk@google.com>)
List pgsql-hackers
On Sat, Jun 25, 2022 at 12:08:13AM +0200, Hannu Krosing wrote:
> As part of ongoing work on PostgreSQL  security hardening we have
> added a capability to disable all file system access (COPY TO/FROM
> [PROGRAM] <filename>, pg_*file*() functions, lo_*() functions
> accessing files, etc) in a way that can not be re-enabled without
> already having access to the file system. That is via a flag which can
> be set only in postgresql.conf or on the command line.
> 
> Currently the file system access is controlled via being a SUPREUSER
> or having the pg_read_server_files, pg_write_server_files and
> pg_execute_server_program roles. The problem with this approach is
> that it will not stop an attacker who has managed to become the
> PostgreSQL  SUPERUSER from  breaking out of the server to reading and
> writing files and running programs in the surrounding container, VM or
> OS.

There was some recent discussion in this area you might be interested in
[0].

[0] https://postgr.es/m/20220520225619.GA876272%40nathanxps13

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com



pgsql-hackers by date:

Previous
From: "David G. Johnston"
Date:
Subject: Re: Hardening PostgreSQL via (optional) ban on local file system access
Next
From: Andres Freund
Date:
Subject: Re: Hardening PostgreSQL via (optional) ban on local file system access