Re: Marking some contrib modules as trusted extensions - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Marking some contrib modules as trusted extensions
Date
Msg-id 5280.1580333933@sss.pgh.pa.us
Whole thread Raw
In response to Re: Marking some contrib modules as trusted extensions  (Julien Rouhaud <rjuju123@gmail.com>)
Responses Re: Marking some contrib modules as trusted extensions
Re: Marking some contrib modules as trusted extensions
List pgsql-hackers
Julien Rouhaud <rjuju123@gmail.com> writes:
>>> Probably NO, if only because you'd need additional privileges
>>> to use these anyway:
>>> pg_stat_statements

> But the additional privileges are global, so assuming the extension
> has been properly setup, wouldn't it be sensible to ease the
> per-database installation?  If not properly setup, there's no harm in
> creating the extension anyway.

Mmm, I'm not convinced --- the ability to see what statements are being
executed in other sessions (even other databases) is something that
paranoid installations might not be so happy about.  Our previous
discussions about what privilege level is needed to look at
pg_stat_statements info were all made against a background assumption
that you needed some extra privilege to set up the view in the first
place.  I think that would need another look or two before being
comfortable that we're not shifting the goal posts too far.

The bigger picture here is that I don't want to get push-back that
we've broken somebody's security posture by marking too many extensions
trusted.  So for anything where there's any question about security
implications, we should err in the conservative direction of leaving
it untrusted.

            regards, tom lane



pgsql-hackers by date:

Previous
From: Julien Rouhaud
Date:
Subject: Re: Marking some contrib modules as trusted extensions
Next
From: Tom Lane
Date:
Subject: Re: parens cleanup