On Thu, 4 Dec 2025 at 05:11, Kirill Reshke <reshkekirill@gmail.com> wrote:
> Hi! Superuser can change archive command to arbitrary bash, which is also useful for attacker. What should we do in
thiscase? We definitely cannot restrict archive command management to localhost, are we?
I'm curious why you think we cannot restrict archive command
management to localhost? I think we could even completely disallow
changing archive_command with ALTER SYSTEM, by marking it as
GUC_DISALLOW_IN_AUTO_FILE. What user is regularly changing their
archive_command through ALTER SYSTEM in practice, and why couldn't
they change postgresql.conf instead? And if any automation does that,
that could just as easy change postgresql.conf.
We'd still need to disallow writing postgresql.conf by superuser in
trivial ways, in particular COPY mytable TO
'/abs/path/to/datadir/postgresql.conf'. Maybe even disallow COPY
mytable to 'file', completely by default.
Yes, this means more is needed than just disallowing COPY PROGRAM. But
I really do think we could spend a little bit of effort to not make
attackers life's as easy as we do today, especially because these
features don't provide any benefit to the majority of our users. And
to make it clear that these blockages are not foolproof, we could
allow people to enable all this functionality again with a GUC like
"allow_trivial_exploits_with_superuser = true" (and add documentation
to make it clear that exploits with superuser access are always
possible, just not the most trivial ones).
