| From: | Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> |
|---|---|
| To: | Dimitri Fontaine <dimitri(at)2ndquadrant(dot)fr> |
| Cc: | PgHacker <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Question: CREATE EXTENSION and create schema permission? |
| Date: | 2011-08-22 09:14:45 |
| Message-ID: | CADyhKSXhMNarH3co=VxHKEUcp5K+tP9-E3W=038b48gpAKB6HA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
The attached patch adds permission check at the scenario that I
explained bellow.
Unlike CreateSchemaCommand(), we don't have check_is_member_of_role() here
because the extowner is obviously same with the current user in this code path.
I hope this patch being also back ported to v9.1 tree, not only v9.2
development.
Thanks,
2011/8/21 Dimitri Fontaine <dimitri(at)2ndquadrant(dot)fr>:
> Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> writes:
>> The current implementation set the current user as owner of the new schema.
>> The default permission check of schema allows owner to create several kinds
>> of underlying objects.
>>
>> In the result, we may consider a scenario that a user without permissions to
>> create new objects possibly get a schema created by CREATE EXTENSION
>> that allows him to create new objects (such as table, function, ...).
>>
>> I don't think it is a desirable behavior. :-(
>
> Agreed,
> --
> Dimitri Fontaine
> http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
>
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
| Attachment | Content-Type | Size |
|---|---|---|
| pgsql-create-extension-permission-checks.patch | application/octet-stream | 1.0 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alexander Korotkov | 2011-08-22 10:23:32 | Re: WIP: Fast GiST index build |
| Previous Message | daveg | 2011-08-22 07:31:31 | Re: FATAL: lock AccessShareLock on object 0/1260/0 is already held |