| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Jelte Fennema-Nio <me(at)jeltef(dot)nl> |
| Cc: | Julien Rouhaud <rjuju123(at)gmail(dot)com>, Artem Gavrilov <artem(dot)gavrilov(at)percona(dot)com>, Tomas Vondra <tomas(at)vondra(dot)me>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, Jeff Davis <pgsql(at)j-davis(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Extension security improvement: Add support for extensions with an owned schema |
| Date: | 2025-09-11 13:01:51 |
| Message-ID: | CA+TgmoY0zKz-mkXjkRUd-vNT4sp+=j5aJKd6er9WgOH9Q0Qriw@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sat, Sep 6, 2025 at 3:35 AM Jelte Fennema-Nio <me(at)jeltef(dot)nl> wrote:
> I think that sounds like reasonable change to Roberts initial
> proposal: Allowing the schema owner and superusers to add objects in
> the schema, but disallow all other users (even if they have CREATE
> privileges on the schema).
I don't know, I'm not really convinced. I feel like this isn't really
a security issue but more of a could-be-an-unpleasant-surprise issue.
What the patch does (IIRC) is make it so that dropping the extension
just cascade-drops the schema. If the schema contains anything
unrelated to the extension, that's going to remove stuff that it
shouldn't remove. In Julien's examples, the other stuff that gets
introduced into the schema is logically part of the extension even if
it doesn't formally have membership in the extension, but somebody
could equally well just install an unrelated extension in the same
schema and then drop the first extension and, whoops.
--
Robert Haas
EDB: http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Euler Taveira | 2025-09-11 13:03:51 | Re: Add support for specifying tables in pg_createsubscriber. |
| Previous Message | Robert Haas | 2025-09-11 12:55:08 | Re: pgsql: Preserve conflict-relevant data during logical replication. |