Re: Hardening PostgreSQL via (optional) ban on local file system access

On Sat, 2022-06-25 at 00:08 +0200, Hannu Krosing wrote:
> Hi Pgsql-Hackers
> 
> As part of ongoing work on PostgreSQL  security hardening we have
> added a capability to disable all file system access (COPY TO/FROM
> [PROGRAM] <filename>, pg_*file*() functions, lo_*() functions
> accessing files, etc) in a way that can not be re-enabled without
> already having access to the file system. That is via a flag which
> can
> be set only in postgresql.conf or on the command line.

How much of this can be done as a special extension already?

For instance, a ProcessUtility_hook can prevent superuser from
executing COPY TO/FROM PROGRAM.

As others point out, that would still leave a lot of surface area for
attacks, e.g. by manipulating the catalog. But it could be a starting
place to make attacks "harder", without core postgres needing to make
security promises that will be hard to keep.

Regards,
    Jeff Davis