Re: Extension security improvement: Add support for extensions with an owned schema

On Sat, 6 Sept 2025 at 02:17, Julien Rouhaud <rjuju123(at)gmail(dot)com> wrote:
> Requiring schema owner privilege wouldn't allow the user who created the
> extension to allow other users to mess up with the extension's private schema?
> At least not with a simple GRANT on the schema.

I think that sounds like reasonable change to Roberts initial
proposal: Allowing the schema owner and superusers to add objects in
the schema, but disallow all other users (even if they have CREATE
privileges on the schema).

I think this seems reasonable from a security perspective. The thing
owned_schema protects against, is accidentally executing code with
permissions of the extension script runner. The owner of the schema is
always the same user as the extension script runner. But it protects
users from the somewhat easy to make mistake of GRANT ALL ON SCHEMA
(instead of GRANT USAGE ON SCHEMA).

Note that this means that even with trusted=true, a non-superuser
extension owner would still not be able to the schema. For that
superuser=false is needed in the control file.

The only thing I'm wondering is if we should allow changing the schema
owner with ALTER SCHEMA OWNER TO. Because that would break this
assumption:
> The owner of the schema is always the same user as the extension script runner.

But that command seems unlikely to be run by accident. But on the
other hand, I don't really see a usecase for changing the schema
owner, except for breaking this protection. So I'm leaning towards
disallowing ALTER SCHEMA OWNER TO on the schema, probably even for
superusers.