| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Julien Rouhaud <rjuju123(at)gmail(dot)com> |
| Cc: | Darafei Komяpa Praliaskouski <me(at)komzpa(dot)net>, PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Marking some contrib modules as trusted extensions |
| Date: | 2020-01-29 21:38:53 |
| Message-ID: | 5280.1580333933@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Julien Rouhaud <rjuju123(at)gmail(dot)com> writes:
>>> Probably NO, if only because you'd need additional privileges
>>> to use these anyway:
>>> pg_stat_statements
> But the additional privileges are global, so assuming the extension
> has been properly setup, wouldn't it be sensible to ease the
> per-database installation? If not properly setup, there's no harm in
> creating the extension anyway.
Mmm, I'm not convinced --- the ability to see what statements are being
executed in other sessions (even other databases) is something that
paranoid installations might not be so happy about. Our previous
discussions about what privilege level is needed to look at
pg_stat_statements info were all made against a background assumption
that you needed some extra privilege to set up the view in the first
place. I think that would need another look or two before being
comfortable that we're not shifting the goal posts too far.
The bigger picture here is that I don't want to get push-back that
we've broken somebody's security posture by marking too many extensions
trusted. So for anything where there's any question about security
implications, we should err in the conservative direction of leaving
it untrusted.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2020-01-29 21:47:19 | Re: parens cleanup |
| Previous Message | Julien Rouhaud | 2020-01-29 21:28:22 | Re: Marking some contrib modules as trusted extensions |