Thread: Disable access shell command in psql
Hello to everyone,
I have one database server with postgresql 8.1 and I discovered yesterday one security problem.
When I access my server with thought psql I have the possibility execute command in my server using "\!" or write one file using "\e".
I want disable these options in my server but I searched it and not found.
Can someone help me, please ?
very thanks,
Thiago
----------------------------------------------------------------
THIAGO MALUF RESENDE
Consultor Voip e Programador WEB (Voip Developer and Web Developer)
Tel: +55 21 86042100
e-mail: malufrj@gmail.com
I have one database server with postgresql 8.1 and I discovered yesterday one security problem.
When I access my server with thought psql I have the possibility execute command in my server using "\!" or write one file using "\e".
I want disable these options in my server but I searched it and not found.
Can someone help me, please ?
very thanks,
Thiago
----------------------------------------------------------------
THIAGO MALUF RESENDE
Consultor Voip e Programador WEB (Voip Developer and Web Developer)
Tel: +55 21 86042100
e-mail: malufrj@gmail.com
On Mon, Jul 23, 2007 at 10:59:17AM -0300, Thiago Maluf wrote: > I have one database server with postgresql 8.1 and I discovered yesterday > one security problem. > When I access my server with thought psql I have the possibility execute > command in my server using "\!" or write one file using "\e". > I want disable these options in my server but I searched it and not found. These psql commands run on the client with the privileges of the client; they don't allow the client to do anything it couldn't already do from the shell, and presumably the client already has access to the shell if it's running psql. This would be a security problem if you use psql to run SQL statements from an untrusted source, but if you're doing that then you already have a security problem. -- Michael Fuhr
"Thiago Maluf" <malufrj@gmail.com> writes:
> I have one database server with postgresql 8.1 and I discovered yesterday
> one security problem.
> When I access my server with thought psql I have the possibility execute
> command in my server using "\!" or write one file using "\e".
These are done on the client side, not the server side. There is no
security issue here, because psql's user could equally well do the
same things without using psql.
regards, tom lane
I`m sorry list.
I had one mistake.
Thanks for everyone.
Thiago
--
----------------------------------------------------------------
THIAGO MALUF RESENDE
Consultor Voip e Programador WEB (Voip Developer and Web Developer)
Tel: +55 21 86042100
e-mail: malufrj@gmail.com
I had one mistake.
Thanks for everyone.
Thiago
2007/7/23, Tom Lane <tgl@sss.pgh.pa.us>:
"Thiago Maluf" <malufrj@gmail.com> writes:
> I have one database server with postgresql 8.1 and I discovered yesterday
> one security problem.
> When I access my server with thought psql I have the possibility execute
> command in my server using "\!" or write one file using "\e".
These are done on the client side, not the server side. There is no
security issue here, because psql's user could equally well do the
same things without using psql.
regards, tom lane
--
----------------------------------------------------------------
THIAGO MALUF RESENDE
Consultor Voip e Programador WEB (Voip Developer and Web Developer)
Tel: +55 21 86042100
e-mail: malufrj@gmail.com