On Sat, Jun 25, 2022 at 12:08:13AM +0200, Hannu Krosing wrote:
> As part of ongoing work on PostgreSQL security hardening we have
> added a capability to disable all file system access (COPY TO/FROM
> [PROGRAM] <filename>, pg_*file*() functions, lo_*() functions
> accessing files, etc) in a way that can not be re-enabled without
> already having access to the file system. That is via a flag which can
> be set only in postgresql.conf or on the command line.
>
> Currently the file system access is controlled via being a SUPREUSER
> or having the pg_read_server_files, pg_write_server_files and
> pg_execute_server_program roles. The problem with this approach is
> that it will not stop an attacker who has managed to become the
> PostgreSQL SUPERUSER from breaking out of the server to reading and
> writing files and running programs in the surrounding container, VM or
> OS.
There was some recent discussion in this area you might be interested in
[0].
[0] https://postgr.es/m/20220520225619.GA876272%40nathanxps13
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com