Tom,
> Yeah, if the config option were to be superuser-only, the security issue
> would be ameliorated --- not removed entirely, IMO, but at least
> weakened. However, this seems to me to be missing the point, which is
> that the extensions feature is designed to let the DBA have control over
> which extensions are potentially installable. If we allow extension
> control files to be loaded from any random directory then we lose that.
> Part of the argument for not requiring superuser permissions to execute
> CREATE EXTENSION was based on that restriction, so we'd need to go back
> and rethink the permissions needed for CREATE EXTENSION.
I do see the utility in having the extension folder relocatable by
packagers; I could really use this for vagrant builds of PostgreSQL,
which I use for testing. Right now I do a lot of file copying of .so
files. In my case, though, I only need to change the whole extension
folder location, I don't need to have multiple locations, a dirpath, or
anything sophisticated. That is, a super-user, cold-start only option
of "extension_path='/vagrant/extensions/'" would work for my case, and I
suspect most packaging cases as well.
This seems like it would work for Oliver's case. And I don't see how
making the folder relocatable as an on-start option hurts our security
at all; we're simply doing something which the same user could do with
symlinks, only much more neatly.
--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com
