Tom Lane wrote:
> If you're not clear on why CREATE TYPE in the hands of a bad guy is
> dangerous, here are a couple of reasons:
>
> * By specifying type representation details (len/byval/align) that are
> different from what the type's functions expect, you could trivially
> crash the backend, and less trivially use a pass-by-reference I/O
> function to read out the contents of backend memory.
I think being able to return cstring from a user defined function is
quite dangerous already. I doubt we would ever give that capability to
non-superusers.
I do agree that creating base types should require a superuser though.
It too seems dangerous just on principle, even if today there's no
actual hole (that we already know of).
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.