Re: [HACKERS] unprivileged contrib and pl install (formerly tsearch

Jeremy Drake <pgsql(at)jdrake(dot)com> writes:
> On Wed, 24 Jan 2007, Tom Lane wrote:
>> that there really needs to be *some* sort of privilege check here.
>> What that is and how to implement it are the hard parts.

> So I guess it depends on what you mean by "DBA". Perhaps the database
> owner? Or some new privilege type (GRANT CREATE ON LANGUAGE ...? Or GRANT
> CREATE LANGUAGE ON DATABASE...?) that the db owner has by default?

Not the DB owner. If you are worried about whether to allow use of PLs
it's almost certainly an installation-wide security concern, so I'd say
that the privilege has to flow from a superuser.

GRANT CREATE ON LANGUAGE feeding into a flag bit in pltemplate would
work, if restricted to superusers, but I suspect people would find this
confusing because it'd work completely differently from GRANT USAGE ON
LANGUAGE (eg, because the latter has only database-local effects).
Might be better to use a different syntax.

Note I'm not arguing against allowing it to be "on" by default, I just
want to be sure there is a way for paranoid DBAs to turn it off. Maybe
it'd be sufficient if the flag bit was there but "UPDATE pg_pltemplate"
was the only way to manipulate it --- we've gotten along with treating
datistemplate and datallowconn that way.

Or we could go the full nine yards and add ACLs to pltemplate, but
that's probably overkill.

regards, tom lane