diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 5e71a2e..4c32fd8 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -8520,7 +8520,15 @@ SCRAM-SHA-256$<iteration count>:&l
superuser
bool
- True if only superusers are allowed to install this extension
+ True if only superusers are allowed to install this extension
+ (but see trustable)
+
+
+
+ trustable
+ bool
+ True if the extension can be installed by non-superusers when
+ configuration settings permit
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 89284dc..ff4520b 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -8447,6 +8447,78 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir'
+
+ trusted_extensions_dba (string)
+
+ trusted_extensions_dba configuration parameter
+
+
+
+
+ This parameter is a regular expression that matches the names of
+ trustable extensions that database owners are allowed to install
+ into their databases
+ (that is, run on; the
+ extension's files must already be present in the installation).
+ See for more information.
+ Regular expressions are explained in
+ .
+
+
+
+ The default value for this parameter is
+ '^pl', which matches any extension whose name
+ begins with pl. This allows database owners to
+ install trusted procedural languages, which was the hard-wired
+ behavior in older PostgreSQL versions.
+
+
+
+ This parameter can be changed at run time by superusers, but a
+ setting done that way will only persist until the end of the
+ client connection, so this method should be reserved for
+ development purposes. The recommended way to set this parameter
+ is in the postgresql.conf configuration
+ file.
+
+
+
+
+
+ trusted_extensions_anyone (string)
+
+ trusted_extensions_anyone configuration parameter
+
+
+
+
+ This parameter is a regular expression that matches the names of
+ trustable extensions that any SQL user is allowed to install
+ (that is, run on; the
+ extension's files must already be present in the installation).
+ See for more information.
+ Regular expressions are explained in
+ .
+
+
+
+ The default value for this parameter is
+ '^$', which matches no extension names, thus
+ forbidding unprivileged users from installing any extensions that
+ require superuser privileges to install.
+
+
+
+ This parameter can be changed at run time by superusers, but a
+ setting done that way will only persist until the end of the
+ client connection, so this method should be reserved for
+ development purposes. The recommended way to set this parameter
+ is in the postgresql.conf configuration
+ file.
+
+
+
+
gin_fuzzy_search_limit (integer)
diff --git a/doc/src/sgml/extend.sgml b/doc/src/sgml/extend.sgml
index b5e59d5..8049934 100644
--- a/doc/src/sgml/extend.sgml
+++ b/doc/src/sgml/extend.sgml
@@ -576,6 +576,33 @@
version. If it is set to false, just the privileges
required to execute the commands in the installation or update script
are required.
+ This should normally be set to true if any of the
+ script commands require superuser privileges. (Such commands would
+ fail anyway, but it's more user-friendly to give the error up front.)
+
+
+
+
+
+ trustable (boolean)
+
+
+ This parameter, if set to true (which is not the
+ default), allows non-superusers to install an extension that
+ has superuser set to true.
+ The extension must also be considered
+ trustable by the installation's configuration parameters (see
+ and
+ ) before this is
+ allowed. If both requirements hold and the user
+ executing CREATE EXTENSION is not a superuser,
+ then the installation or update script is run as the bootstrap
+ superuser, not as the calling user.
+ This parameter is irrelevant if superuser is
+ false.
+ Generally, this should not be set true for extensions that would
+ allow access to otherwise-superuser-only abilities, such as
+ untrusted procedural languages.
@@ -642,6 +669,18 @@
+ If the extension script contains the
+ string @extowner@, that string is replaced with the
+ (suitably quoted) name of the user calling CREATE
+ EXTENSION or ALTER EXTENSION. Typically
+ this feature is used by extensions that are marked trustable to assign
+ ownership of selected objects to the calling user rather than the
+ bootstrap superuser. (One should be careful about doing so, however.
+ For example, assigning ownership of a C-language function to a
+ non-superuser would create a privilege escalation path for that user.)
+
+
+
While the script files can contain any characters allowed by the specified
encoding, control files should contain only plain ASCII, because there
is no way for PostgreSQL to know what encoding a
diff --git a/doc/src/sgml/ref/create_extension.sgml b/doc/src/sgml/ref/create_extension.sgml
index 36837f9..ee59bfe 100644
--- a/doc/src/sgml/ref/create_extension.sgml
+++ b/doc/src/sgml/ref/create_extension.sgml
@@ -47,14 +47,28 @@ CREATE EXTENSION [ IF NOT EXISTS ] extension_name
- Loading an extension requires the same privileges that would be
- required to create its component objects. For most extensions this
- means superuser or database owner privileges are needed.
+ Loading an extension ordinarily requires the same privileges that would be
+ required to create its component objects. For many extensions this
+ means superuser privileges are needed.
The user who runs CREATE EXTENSION becomes the
owner of the extension for purposes of later privilege checks, as well
as the owner of any objects created by the extension's script.
+
+ However, if the extension is marked trustable in
+ its control file, and it is trusted by the local installation according
+ to the relevant configuration parameter
+ ( or
+ ),
+ then it can be installed by a non-superuser. In this case the extension
+ object itself will be owned by the calling user, but the contained
+ objects will be owned by the bootstrap superuser (unless the
+ extension's script explicitly assigns them to the calling user).
+ This configuration gives the calling user the right to drop the
+ extension, but not to modify individual objects within it.
+
+
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql
index ea4c85e..f3e4d43 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -317,7 +317,8 @@ CREATE VIEW pg_available_extensions AS
CREATE VIEW pg_available_extension_versions AS
SELECT E.name, E.version, (X.extname IS NOT NULL) AS installed,
- E.superuser, E.relocatable, E.schema, E.requires, E.comment
+ E.superuser, E.trustable, E.relocatable,
+ E.schema, E.requires, E.comment
FROM pg_available_extension_versions() AS E
LEFT JOIN pg_extension AS X
ON E.name = X.extname AND E.version = X.extversion;
diff --git a/src/backend/commands/extension.c b/src/backend/commands/extension.c
index f7202cc..257b4fc 100644
--- a/src/backend/commands/extension.c
+++ b/src/backend/commands/extension.c
@@ -40,6 +40,7 @@
#include "catalog/indexing.h"
#include "catalog/namespace.h"
#include "catalog/objectaccess.h"
+#include "catalog/pg_authid.h"
#include "catalog/pg_collation.h"
#include "catalog/pg_depend.h"
#include "catalog/pg_extension.h"
@@ -54,6 +55,7 @@
#include "mb/pg_wchar.h"
#include "miscadmin.h"
#include "nodes/makefuncs.h"
+#include "regex/regex.h"
#include "storage/fd.h"
#include "tcop/utility.h"
#include "utils/acl.h"
@@ -66,6 +68,10 @@
#include "utils/varlena.h"
+/* GUC settings */
+char *trusted_extensions_dba;
+char *trusted_extensions_anyone;
+
/* Globally visible state variables */
bool creating_extension = false;
Oid CurrentExtensionObject = InvalidOid;
@@ -84,6 +90,7 @@ typedef struct ExtensionControlFile
char *schema; /* target schema (allowed if !relocatable) */
bool relocatable; /* is ALTER EXTENSION SET SCHEMA supported? */
bool superuser; /* must be superuser to install? */
+ bool trustable; /* allow becoming superuser on the fly? */
int encoding; /* encoding of the script file, or -1 */
List *requires; /* names of prerequisite extensions */
} ExtensionControlFile;
@@ -558,6 +565,14 @@ parse_extension_control_file(ExtensionControlFile *control,
errmsg("parameter \"%s\" requires a Boolean value",
item->name)));
}
+ else if (strcmp(item->name, "trustable") == 0)
+ {
+ if (!parse_bool(item->value, &control->trustable))
+ ereport(ERROR,
+ (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ errmsg("parameter \"%s\" requires a Boolean value",
+ item->name)));
+ }
else if (strcmp(item->name, "encoding") == 0)
{
control->encoding = pg_valid_server_encoding(item->value);
@@ -614,6 +629,7 @@ read_extension_control_file(const char *extname)
control->name = pstrdup(extname);
control->relocatable = false;
control->superuser = true;
+ control->trustable = false;
control->encoding = -1;
/*
@@ -795,6 +811,76 @@ execute_sql_string(const char *sql)
}
/*
+ * Check if "str" matches the regular expression "pattern".
+ *
+ * XXX Perhaps we should put this somewhere else?
+ */
+static bool
+string_matches_regex(const char *str, const char *pattern)
+{
+ int r;
+ pg_wchar *wstr;
+ int wlen;
+ regex_t re;
+ char errstr[100];
+
+ /* The regex library wants to deal in wchars not chars */
+ wstr = palloc((strlen(pattern) + 1) * sizeof(pg_wchar));
+ wlen = pg_mb2wchar_with_len(pattern, wstr, strlen(pattern));
+
+ r = pg_regcomp(&re, wstr, wlen, REG_ADVANCED, C_COLLATION_OID);
+ if (r)
+ {
+ /* This shouldn't really happen, since guc.c checked the value */
+ pg_regerror(r, &re, errstr, sizeof(errstr));
+ /* no need for pg_regfree here */
+ ereport(ERROR,
+ (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
+ errmsg("invalid regular expression \"%s\": %s",
+ pattern, errstr)));
+ }
+ pfree(wstr);
+
+ wstr = palloc((strlen(str) + 1) * sizeof(pg_wchar));
+ wlen = pg_mb2wchar_with_len(str, wstr, strlen(str));
+
+ r = pg_regexec(&re, wstr, wlen, 0, NULL, 0, NULL, 0);
+ if (r != REG_OKAY && r != REG_NOMATCH)
+ {
+ pg_regerror(r, &re, errstr, sizeof(errstr));
+ pg_regfree(&re);
+ ereport(ERROR,
+ (errcode(ERRCODE_INVALID_REGULAR_EXPRESSION),
+ errmsg("regular expression match for \"%s\" failed: %s",
+ pattern, errstr)));
+ }
+ pfree(wstr);
+
+ pg_regfree(&re);
+ return (r == REG_OKAY);
+}
+
+/*
+ * Policy function: is the given extension trusted for installation by a
+ * non-superuser?
+ */
+static bool
+extension_is_trusted(ExtensionControlFile *control)
+{
+ /* Never trust unless extension's control file says it's okay */
+ if (!control->trustable)
+ return false;
+ /* Database owner can install, if it matches appropriate GUC */
+ if (pg_database_ownercheck(MyDatabaseId, GetUserId()) &&
+ string_matches_regex(control->name, trusted_extensions_dba))
+ return true;
+ /* Anyone can install, if it matches that GUC */
+ if (string_matches_regex(control->name, trusted_extensions_anyone))
+ return true;
+ return false;
+}
+
+/*
* Execute the appropriate script file for installing or updating the extension
*
* If from_version isn't NULL, it's an update
@@ -806,19 +892,24 @@ execute_extension_script(Oid extensionOid, ExtensionControlFile *control,
List *requiredSchemas,
const char *schemaName, Oid schemaOid)
{
+ bool switch_to_superuser = false;
char *filename;
+ Oid save_userid = 0;
+ int save_sec_context = 0;
int save_nestlevel;
StringInfoData pathbuf;
ListCell *lc;
/*
- * Enforce superuser-ness if appropriate. We postpone this check until
- * here so that the flag is correctly associated with the right script(s)
- * if it's set in secondary control files.
+ * Enforce superuser-ness if appropriate. We postpone these checks until
+ * here so that the control flags are correctly associated with the right
+ * script(s) if they happen to be set in secondary control files.
*/
if (control->superuser && !superuser())
{
- if (from_version == NULL)
+ if (extension_is_trusted(control))
+ switch_to_superuser = true;
+ else if (from_version == NULL)
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("permission denied to create extension \"%s\"",
@@ -835,6 +926,18 @@ execute_extension_script(Oid extensionOid, ExtensionControlFile *control,
filename = get_extension_script_filename(control, from_version, version);
/*
+ * If installing a trusted extension on behalf of a non-superuser, become
+ * the bootstrap superuser. (This switch will be cleaned up automatically
+ * if the transaction aborts, as will the GUC changes below.)
+ */
+ if (switch_to_superuser)
+ {
+ GetUserIdAndSecContext(&save_userid, &save_sec_context);
+ SetUserIdAndSecContext(BOOTSTRAP_SUPERUSERID,
+ save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
+ }
+
+ /*
* Force client_min_messages and log_min_messages to be at least WARNING,
* so that we won't spam the user with useless NOTICE messages from common
* script actions like creating shell types.
@@ -907,6 +1010,22 @@ execute_extension_script(Oid extensionOid, ExtensionControlFile *control,
CStringGetTextDatum("ng"));
/*
+ * If the script uses @extowner@, substitute the calling username.
+ */
+ if (strstr(c_sql, "@extowner@"))
+ {
+ Oid uid = switch_to_superuser ? save_userid : GetUserId();
+ const char *userName = GetUserNameFromId(uid, false);
+ const char *qUserName = quote_identifier(userName);
+
+ t_sql = DirectFunctionCall3Coll(replace_text,
+ C_COLLATION_OID,
+ t_sql,
+ CStringGetTextDatum("@extowner@"),
+ CStringGetTextDatum(qUserName));
+ }
+
+ /*
* If it's not relocatable, substitute the target schema name for
* occurrences of @extschema@.
*
@@ -957,6 +1076,12 @@ execute_extension_script(Oid extensionOid, ExtensionControlFile *control,
* Restore the GUC variables we set above.
*/
AtEOXact_GUC(true, save_nestlevel);
+
+ /*
+ * Restore authentication state if needed.
+ */
+ if (switch_to_superuser)
+ SetUserIdAndSecContext(save_userid, save_sec_context);
}
/*
@@ -2117,8 +2242,8 @@ get_available_versions_for_extension(ExtensionControlFile *pcontrol,
{
ExtensionVersionInfo *evi = (ExtensionVersionInfo *) lfirst(lc);
ExtensionControlFile *control;
- Datum values[7];
- bool nulls[7];
+ Datum values[8];
+ bool nulls[8];
ListCell *lc2;
if (!evi->installable)
@@ -2139,24 +2264,26 @@ get_available_versions_for_extension(ExtensionControlFile *pcontrol,
values[1] = CStringGetTextDatum(evi->name);
/* superuser */
values[2] = BoolGetDatum(control->superuser);
+ /* trustable */
+ values[3] = BoolGetDatum(control->trustable);
/* relocatable */
- values[3] = BoolGetDatum(control->relocatable);
+ values[4] = BoolGetDatum(control->relocatable);
/* schema */
if (control->schema == NULL)
- nulls[4] = true;
+ nulls[5] = true;
else
- values[4] = DirectFunctionCall1(namein,
+ values[5] = DirectFunctionCall1(namein,
CStringGetDatum(control->schema));
/* requires */
if (control->requires == NIL)
- nulls[5] = true;
+ nulls[6] = true;
else
- values[5] = convert_requires_to_datum(control->requires);
+ values[6] = convert_requires_to_datum(control->requires);
/* comment */
if (control->comment == NULL)
- nulls[6] = true;
+ nulls[7] = true;
else
- values[6] = CStringGetTextDatum(control->comment);
+ values[7] = CStringGetTextDatum(control->comment);
tuplestore_putvalues(tupstore, tupdesc, values, nulls);
@@ -2184,16 +2311,18 @@ get_available_versions_for_extension(ExtensionControlFile *pcontrol,
values[1] = CStringGetTextDatum(evi2->name);
/* superuser */
values[2] = BoolGetDatum(control->superuser);
+ /* trustable */
+ values[3] = BoolGetDatum(control->trustable);
/* relocatable */
- values[3] = BoolGetDatum(control->relocatable);
+ values[4] = BoolGetDatum(control->relocatable);
/* schema stays the same */
/* requires */
if (control->requires == NIL)
- nulls[5] = true;
+ nulls[6] = true;
else
{
- values[5] = convert_requires_to_datum(control->requires);
- nulls[5] = false;
+ values[6] = convert_requires_to_datum(control->requires);
+ nulls[6] = false;
}
/* comment stays the same */
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 90ffd89..614d993 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -36,7 +36,9 @@
#include "access/xlog_internal.h"
#include "catalog/namespace.h"
#include "catalog/pg_authid.h"
+#include "catalog/pg_collation.h"
#include "commands/async.h"
+#include "commands/extension.h"
#include "commands/prepare.h"
#include "commands/user.h"
#include "commands/vacuum.h"
@@ -65,6 +67,7 @@
#include "postmaster/postmaster.h"
#include "postmaster/syslogger.h"
#include "postmaster/walwriter.h"
+#include "regex/regex.h"
#include "replication/logicallauncher.h"
#include "replication/slot.h"
#include "replication/syncrep.h"
@@ -175,6 +178,7 @@ static bool check_ssl(bool *newval, void **extra, GucSource source);
static bool check_stage_log_stats(bool *newval, void **extra, GucSource source);
static bool check_log_stats(bool *newval, void **extra, GucSource source);
static bool check_canonical_path(char **newval, void **extra, GucSource source);
+static bool check_regular_expression(char **newval, void **extra, GucSource source);
static bool check_timezone_abbreviations(char **newval, void **extra, GucSource source);
static void assign_timezone_abbreviations(const char *newval, void *extra);
static void pg_timezone_abbrev_initialize(void);
@@ -4178,6 +4182,26 @@ static struct config_string ConfigureNamesString[] =
},
{
+ {"trusted_extensions_dba", PGC_SUSET, CLIENT_CONN_OTHER,
+ gettext_noop("Selects which trustable extensions may be installed by database owners."),
+ NULL
+ },
+ &trusted_extensions_dba,
+ "^pl",
+ check_regular_expression, NULL, NULL
+ },
+
+ {
+ {"trusted_extensions_anyone", PGC_SUSET, CLIENT_CONN_OTHER,
+ gettext_noop("Selects which trustable extensions may be installed by anyone."),
+ NULL
+ },
+ &trusted_extensions_anyone,
+ "^$",
+ check_regular_expression, NULL, NULL
+ },
+
+ {
{"wal_consistency_checking", PGC_SUSET, DEVELOPER_OPTIONS,
gettext_noop("Sets the WAL resource managers for which WAL consistency checks are done."),
gettext_noop("Full-page images will be logged for all data blocks and cross-checked against the results of WAL replay."),
@@ -11114,6 +11138,37 @@ check_canonical_path(char **newval, void **extra, GucSource source)
return true;
}
+/* Check that the GUC's value is a valid regular expression. */
+static bool
+check_regular_expression(char **newval, void **extra, GucSource source)
+{
+ int r;
+ pg_wchar *wstr;
+ int wlen;
+ regex_t re;
+
+ if (!*newval)
+ return false;
+
+ /* The regex library wants to deal in wchars not chars */
+ wstr = palloc((strlen(*newval) + 1) * sizeof(pg_wchar));
+ wlen = pg_mb2wchar_with_len(*newval, wstr, strlen(*newval));
+
+ r = pg_regcomp(&re, wstr, wlen, REG_ADVANCED, C_COLLATION_OID);
+ if (r)
+ {
+ char errstr[100];
+
+ pg_regerror(r, &re, errstr, sizeof(errstr));
+ GUC_check_errdetail("invalid regular expression: %s", errstr);
+ pfree(wstr);
+ return false;
+ }
+ pg_regfree(&re);
+ pfree(wstr);
+ return true;
+}
+
static bool
check_timezone_abbreviations(char **newval, void **extra, GucSource source)
{
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 39fc787..5caeb76 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -682,6 +682,9 @@
#dynamic_library_path = '$libdir'
+#trusted_extensions_dba = '^pl' # exts installable by database owner
+#trusted_extensions_anyone = '^$' # exts installable by anyone
+
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
diff --git a/src/include/catalog/pg_proc.dat b/src/include/catalog/pg_proc.dat
index b88e886..f2551e1 100644
--- a/src/include/catalog/pg_proc.dat
+++ b/src/include/catalog/pg_proc.dat
@@ -9431,9 +9431,9 @@
proname => 'pg_available_extension_versions', procost => '10',
prorows => '100', proretset => 't', provolatile => 's',
prorettype => 'record', proargtypes => '',
- proallargtypes => '{name,text,bool,bool,name,_name,text}',
- proargmodes => '{o,o,o,o,o,o,o}',
- proargnames => '{name,version,superuser,relocatable,schema,requires,comment}',
+ proallargtypes => '{name,text,bool,bool,bool,name,_name,text}',
+ proargmodes => '{o,o,o,o,o,o,o,o}',
+ proargnames => '{name,version,superuser,trustable,relocatable,schema,requires,comment}',
prosrc => 'pg_available_extension_versions' },
{ oid => '3084', descr => 'list an extension\'s version update paths',
proname => 'pg_extension_update_paths', procost => '10', prorows => '100',
diff --git a/src/include/commands/extension.h b/src/include/commands/extension.h
index 02fc17d..3a155eaf 100644
--- a/src/include/commands/extension.h
+++ b/src/include/commands/extension.h
@@ -18,6 +18,10 @@
#include "nodes/parsenodes.h"
+/* GUC settings */
+extern char *trusted_extensions_dba;
+extern char *trusted_extensions_anyone;
+
/*
* creating_extension is only true while running a CREATE EXTENSION or ALTER
* EXTENSION UPDATE command. It instructs recordDependencyOnCurrentExtension()
diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out
index 210e9cd..56b20f6 100644
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -1311,11 +1311,12 @@ pg_available_extension_versions| SELECT e.name,
e.version,
(x.extname IS NOT NULL) AS installed,
e.superuser,
+ e.trustable,
e.relocatable,
e.schema,
e.requires,
e.comment
- FROM (pg_available_extension_versions() e(name, version, superuser, relocatable, schema, requires, comment)
+ FROM (pg_available_extension_versions() e(name, version, superuser, trustable, relocatable, schema, requires, comment)
LEFT JOIN pg_extension x ON (((e.name = x.extname) AND (e.version = x.extversion))));
pg_available_extensions| SELECT e.name,
e.default_version,