Re: Disable executing external commands from psql? - Mailing list pgsql-general
| From | Ken Tanzer |
|---|---|
| Subject | Re: Disable executing external commands from psql? |
| Date | |
| Msg-id | 4C05A068.2010204@gmail.com Whole thread Raw |
| In response to | Re: Disable executing external commands from psql? (Tom Lane <tgl@sss.pgh.pa.us>) |
| Responses |
Re: Disable executing external commands from psql?
Re: Disable executing external commands from psql? Re: Disable executing external commands from psql? |
| List | pgsql-general |
> > The better way to go about that is to not let them have an account on > the server machine in the first place. Just expose the postmaster port > (perhaps via ssh tunneling) and let them run psql on their own machines. Somehow, exposing my database ports to the internet scares me more than any (possibly crazy) stuff I'm trying to do. :) But seriously I think I need to give them accounts--I'm setting up online instances of a web app, so they have a set of (editable) PHP files, possibly some storage, a log file, etc. It seemed that setting each up as its own user was better than going through some uber-process that had access to all the files. Just to be clear, cause I'm a little thick sometimes, it is not possible to do this? Thanks, Ken On 06/01/2010 04:55 PM, Tom Lane wrote: > Ken Tanzer<ken.tanzer@gmail.com> writes: > >> Hi. I'm wondering if it is possible to disable use of \! to execute >> commands in psql? I see this has come up on the list before >> (http://archives.postgresql.org/pgsql-admin/2007-07/msg00242.php), but I >> don't see anyone saying whether it is possible or not, just that it's a >> bad or useless idea. >> > Yes, it seems pretty useless. > > >> It may or may not be a bad idea (e.g., carry some risk). My scenario is >> that I'd like to give people that I don't necessarily know (or therefore >> trust) the ability to run psql for a database I've already set up for >> them. I set their login shell to psql, so they can simply ssh in, and >> they are in psql. From there, though, they can do a simple \! >> /bin/bash, and they've got way more access than I want them to. >> > >> So is there any way to disable the "\!" stuff? If there's a better way >> to go about this, I suppose I'm all ears too! >> > The better way to go about that is to not let them have an account on > the server machine in the first place. Just expose the postmaster port > (perhaps via ssh tunneling) and let them run psql on their own machines. > > regards, tom lane > -- ------------------------------------------------------- AGENCY Software For nonprofits that want to take control of their data Use it. Like it. Share it. Build it. Buy it. http://agency-software.org -------------------------------------------------------
pgsql-general by date: