block_copy_command
block_copy_command : Block COPY commands via a configurable ProcessUtility hook
Overview
| ID | Extension | Package | Version | Category | License | Language |
|---|---|---|---|---|---|---|
| 7405 | block_copy_command | block_copy_command | 0.1.5 | SEC | BSD 3-Clause | Rust |
| Attribute | Has Binary | Has Library | Need Load | Has DDL | Relocatable | Trusted |
|---|---|---|---|---|---|---|
--sLd-- | No | Yes | Yes | Yes | no | no |
Requires shared_preload_libraries = block_copy_command.
Packages
| Type | Repo | Version | PG Major Compatibility | Package Pattern | Dependencies |
|---|---|---|---|---|---|
| EXT | PIGSTY | 0.1.5 | 18 17 16 15 14 | block_copy_command | - |
| RPM | PIGSTY | 0.1.5 | 18 17 16 15 14 | block_copy_command_$v | - |
| DEB | PIGSTY | 0.1.5 | 18 17 16 15 14 | postgresql-$v-block-copy-command | - |
| Linux / PG | PG18 | PG17 | PG16 | PG15 | PG14 |
|---|---|---|---|---|---|
el8.x86_64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
el8.aarch64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
el9.x86_64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
el9.aarch64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
el10.x86_64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
el10.aarch64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
d12.x86_64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
d12.aarch64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
d13.x86_64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
d13.aarch64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
u22.x86_64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
u22.aarch64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
u24.x86_64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
u24.aarch64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
u26.x86_64 | MISS | MISS | MISS | MISS | MISS |
u26.aarch64 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 | PIGSTY 0.1.5 |
Source
pig build pkg block_copy_command; # build rpm/debInstall
Make sure PGDG and PIGSTY repo available:
pig repo add pgsql -u # add both repo and update cacheInstall this extension with pig:
pig install block_copy_command; # install via package name, for the active PG version
pig install block_copy_command -v 18; # install for PG 18
pig install block_copy_command -v 17; # install for PG 17
pig install block_copy_command -v 16; # install for PG 16
pig install block_copy_command -v 15; # install for PG 15
pig install block_copy_command -v 14; # install for PG 14Config this extension to shared_preload_libraries:
shared_preload_libraries = 'block_copy_command';Create this extension with:
CREATE EXTENSION block_copy_command;Usage
- Source: README
block_copy_command installs a ProcessUtility hook that intercepts COPY statements. The hook is cluster-wide once the library is loaded, while CREATE EXTENSION only registers metadata in a database.
Enable It
shared_preload_libraries = 'block_copy_command'CREATE EXTENSION block_copy_command;Blocking Rules
By default, non-superusers cannot run COPY TO or COPY FROM:
COPY my_table TO STDOUT;
COPY my_table FROM STDIN;
COPY (SELECT * FROM my_table) TO '/tmp/out.csv';Priority is documented as:
block_copy_command.blocked_roles: always blocked, even superusers.block_copy_command.block_program = on: blocksCOPY ... PROGRAMfor everyone.block_copy_command.enabled = off: allowsCOPYfor roles not inblocked_roles.- Superusers otherwise bypass direction blocking.
block_copy_command.block_toandblock_copy_command.block_fromcontrol export/import blocking for non-superusers.
Main Settings
block_copy_command.enabled: master switch for non-superuser blocking.block_copy_command.block_to: blockCOPY TO.block_copy_command.block_from: blockCOPY FROM.block_copy_command.block_program: blockCOPY TO/FROM PROGRAMfor all users.block_copy_command.hint: append a customHINTto blocked-command errors.block_copy_command.blocked_roles: comma-separated always-blocked roles.block_copy_command.audit_log_enabled: write intercepted events to the audit table.
Audit And Caveats
Allowed and blocked attempts are intercepted, and the extension defines block_copy_command.audit_log plus server-log entries for blocked events. The README notes one important caveat: blocked audit rows are inserted before the error is raised, so they are rolled back with the transaction. In practice, PostgreSQL server logs are the authoritative record for blocked COPY attempts.