Re: [PATCH] New predefined role pg_manage_extensions

On Fri, Jan 12, 2024 at 10:13 AM Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> wrote:
> On Fri, 12 Jan 2024 at 15:53, Michael Banck <mbanck(at)gmx(dot)net> wrote:
> > I propose to add a new predefined role to Postgres,
> > pg_manage_extensions. The idea is that it allows Superusers to delegate
> > the rights to create, update or delete extensions to other roles, even
> > if those extensions are not trusted or those users are not the database
> > owner.
>
> I agree that extension creation is one of the main reasons people
> require superuser access, and I think it would be beneficial to try to
> reduce that. But I'm not sure that such a pg_manage_extensions role
> would have any fewer permissions than superuser in practice. Afaik
> many extensions that are not marked as trusted, are not trusted
> because they would allow fairly trivial privilege escalation to
> superuser if they were.

I see that Jelte walked this comment back, but I think this issue
needs more discussion. I'm not intrinsically against having a role
like pg_execute_server_programs that allows escalation to superuser,
but I don't see how it would help a cloud provider whose goal is to
NOT allow administrators to escalate to superuser.

What am I missing?

--
Robert Haas
EDB: http://www.enterprisedb.com