Andres Freund <andres@2ndquadrant.com> writes:
> On 2013-06-10 10:13:45 -0400, Tom Lane wrote:
>> More generally, it seems pretty insane to me to want to configure a
>> "trusted" PG installation so that it can load C code from an untrusted
>> place. The trust level cannot be any higher than the weakest link.
>> Thus, I don't see a scenario in which any packager would ship binaries
>> using such an option, even if it existed.
> I fail to see the logic here.
You are confusing location in the filesystem with permissions. Assuming
that a sysadmin wants to allow, say, the postgres DBA to install random
extensions, all he has to do is adjust the permissions on the .../extension
directory to allow that (or not). Putting the extension directory
somewhere else doesn't change that meaningfully, it just makes things
more confusing and hence error-prone.
In any case, no packager is going to ship an insecure-by-default
configuration, which is what Dimitri seems to be fantasizing would
happen. It would have to be local option to relax the permissions
on the directory, no matter where it is.
regards, tom lane
