The COPY command transfers data between tables and files on disk. The files are accessed under the operating system user privilege that the database runs as. Given the security implications of this command, it is available only to database superusers. The following examples assume access to the database has been achieved through SQL injection in a web application, and that against best practice, the application has connected to the database using superuser credentials.
The COPY command does not accept relative paths (from copy.c: “Prevent write to relative path . . . too easy to shoot oneself in the foot by overwriting a database file . . .”). This prevents using ~ to select the PostgreSQL home directory. The Unix temporary directory, /tmp, is likely to be writable. If the database is version 8.0, configuration parameters such as the database file locations can be determined via SELECT current_settings(<settingname>). The data_directory setting reveals where the database files are actually stored — this will obviously be writable.
An attacker can further compromise a Unix system via the COPY by writing to a number of files: