Suppose I created a db user with
create role myuser login password 'xyz';
and allowed typical read and write db permissions.
If a malicious user finds these login credentials (and has access to db), what is the worst he can do to the Ubuntu server where the db lives? (e.g. can he get access to the OS shell? can he install something? can he remove non-db files? ...)
A user that is neither a superuser nor a member of the pg_write_server_files or pg_execute_server_programs cannot directly modify anything on the database server operating system.
The worst such a user can do is to fill the disk with data or temp files and put load on disk and CPU.
However, if there is a careless superuser that creates insecure "security definer" functions or executes functions created by a malicious user, that malicious user may be able to usurp higher privileges and do more damage.
I'm going to answer this question a different way. When we're talking about database servers, the data within said databases is typically far more valuable than anything sitting on the file system. Database servers can be brought back online, databases can be restored from backups, etc...
Not to diminish the fact that a user with OS access can wreck havoc and take a database offline. I'd be far more concerned what a malicious user would do to a database with write permission. They can manipulate data, delete data, insert bad data, etc.
If a user is truly wanting to be malicious, this is all the access the would need to be destructive. Depending how aggressive they are, data changes could go undetected for weeks or months, making the chance of recovery challenging.
So in this case, what are you trying to protect against?
