BUG #1834: Non-super-user must be able to copy from a file through JDBC

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
bht
Reply | Threaded
Open this post in threaded view
|

BUG #1834: Non-super-user must be able to copy from a file through JDBC

bht

The following bug has been logged online:

Bug reference:      1834
Logged by:          Bernard
Email address:      [hidden email]
PostgreSQL version: 8.03
Operating system:   Linux RedHat 9
Description:        Non-super-user must be able to copy from a file through
JDBC
Details:

On the attempt to bulk load a table from a file that is owned by the
non-superuser current database user, the following error message is
printed:

"must be superuser to COPY to or from a file"

Following this advice would force the application to connect as superuser
which is a severe security risk.

The postgres-specific workaround to use STDIN with COPY is not supported by
the Postgres JDBC driver.

In comparison MySQL bulk loading works for all users with its JDBC driver.

We need a Postgresql solution to this security issue that is as simple as
the MySQL version.

We have a web application where both MySQL and Postresql are supported. With
Postgresql, the application would have to connect as user postgres. We have
to explain this security risk to our clients very clearly.

---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster