Postgres Pro
Downloads
Home   >   mailing lists

Re: Extension Templates S03E11 - Mailing list pgsql-hackers

From Jeff Davis
Subject Re: Extension Templates S03E11
Date
Msg-id 1385845228.7500.267.camel@jdavis
Whole thread Raw
In response to Re: Extension Templates S03E11  (Dimitri Fontaine <dimitri@2ndQuadrant.fr>)
Responses Re: Extension Templates S03E11
List pgsql-hackers
Tree view 
On Wed, 2013-11-27 at 18:34 +0100, Dimitri Fontaine wrote:
> The other main point that will change the current code is dealing with
> superusers and security concerns. Baring objections, I'm going to
> implement a variation of what I did propose in the thread:
> 
>   When a superuser CREATE EXTENSION against a template that has been
>   provided by a non-privileged user, automatically SET ROLE to that user
>   before doing so, avoiding escalation privileges.

That proposal is worded like a special case for superusers, and I don't
see why. If the security model is that an extension script is run with
as the template owner, then we should just do that universally. If not,
making a special case for superusers undermines the security of
powerful-but-not-superuser roles.

I haven't looked in detail at the security issues here... is this the
result of a consensus or are there still differing opinions?

> If that's not what the superuser intended, then it still is possible for
> him to ALTER TEMPLATE FOR EXTENSION … OWNER TO himself beforehand.

Doesn't sound like a clean workaround.

We already have a model for executing functions, and those are black
boxes of code as well. If we deviate too much from that, I think we're
inviting problems.

Heikki expressed some concerns here:

http://www.postgresql.org/message-id/5152FF3D.4000401@vmware.com

followed by Robert. The concerns seem mostly about the namespace,
because it's hard to be sure that "CREATE EXTENSION foo" installs the
"foo" you expect. Those are very valid practical concerns; but I agree
with Dimitri that this is not a fundamental problem, and we might find a
compromise here that can work.

One idea: if a non-superuser role creates an extension template, then it
is only visible to that exact same role.

The first version might only allow superusers to create extension
templates, but it would be nice to have a plan for non-superusers soon.

Aside: why do file-based templates shadow catalog-based templates?
Shouldn't we just throw an error if both are available at CREATE
EXTENSION time?

Also, I notice that the extension templates are not in shared catalogs;
was that discussed?

(Some of these issues seem underdocumented, as well.)

Regards,Jeff Davis

pgsql-hackers by date:

Previous
From: Kevin Grittner
Date:
Subject: Re: [GENERAL] pg_upgrade ?deficiency
Next
From: Peter Eisentraut
Date:
Subject: Re: Re: [BUGS] BUG #7873: pg_restore --clean tries to drop tables that don't exist