Steve Chavez <steve@supabase.io> writes:
> Currently PostgreSQL only allows creating event triggers for superusers,
> this prevents usage on PostgreSQL service providers, which do not grant
> superuser access.
> This patch allows database owners to create event triggers, while
> preventing privilege escalation.
I'm pretty down on this, at least in the form presented. While
you may have managed to keep the DB owner from sabotaging superusers,
the proposed feature still allows owning every other special role,
for example pg_write_server_files (which is something that's pretty
trivially exploitable to get superuser). Since we've generally been
working towards not requiring superuser for most routine admin tasks,
that problem is going to get worse not better over time. I don't
want to see us add a feature that creates a security reason to
avoid using those special roles in favor of using a superuser.
Or in other words: not-superuser to superuser is far from the only
type of privilege escalation that we need to prevent.
regards, tom lane
