Re: Quick Extensions Question - Mailing list pgsql-hackers
From | Tom Lane |
---|---|
Subject | Re: Quick Extensions Question |
Date | |
Msg-id | 7737.1299187868@sss.pgh.pa.us Whole thread Raw |
In response to | Re: Quick Extensions Question (Dimitri Fontaine <dimitri@2ndQuadrant.fr>) |
Responses |
Re: Quick Extensions Question
Re: Quick Extensions Question Re: Quick Extensions Question Re: Quick Extensions Question |
List | pgsql-hackers |
Dimitri Fontaine <dimitri@2ndQuadrant.fr> writes: > Tom Lane <tgl@sss.pgh.pa.us> writes: >> On the whole I'd rather spend time trying to fix the real problem, which >> is allowing CREATE EXTENSION to non-superusers. The general case of >> that looks quite hard to me, but maybe we could get something that works >> for the single case of an extension containing just a language. > Then, what about a control file property to cover that? > pl_language = plpgsql That doesn't fix the permissions problem, it's just a special-case wart for PLs. However, it does strike me that there is one simple case we could support without a great deal of sweat. Namely, what if we allow non-superusers to create an extension if all the commands in the script are ones they could execute anyway? In particular, an extension containing only CREATE LANGUAGE would work for exactly those users who could execute CREATE LANGUAGE under the existing dispensations. This might also make it less painful to use extensions that consist purely of SQL (no underlying C functions). This special case avoids two of the nastier problems that have been bugging me with respect to the general case: 1. We don't have to worry about somehow kluging the permissions checks for commands executed within the script, as we would have to do to let a non-superuser create an extension that includes C functions for instance. 2. We aren't opening a Pandora's box of security vulnerabilities, as would certainly happen if extension scripts that effectively have superuser privs were to be executed in an environment under the control of a malicious non-superuser. Offhand I don't see any security risks in this type of feature. We'd be letting non-superusers examine the extension directory, but we have enough safeguards in place already to be sure they can't see the rest of the filesystem via the extension commands. In the simplest form we could implement this by just removing the superuser() check in CREATE EXTENSION. But then people who tried to load a superuser-only extension would get a permissions failure on some random command within the extension, which might be thought less than user-friendly. Also it might be good to have a more explicit marking of superuser-only extensions. So I'm thinking it might be best to invent a control file property along the lines of superuser = false -- default is true which would presently do nothing except control whether to make a superuser() permissions check before running the script. (In future it might do more, but only after a lot of careful thought.) We'd also have to fix ALTER EXTENSION and DROP EXTENSION to check for extension ownership instead of superuserness, but that would be simple enough, since I already insisted on an extowner column ;-) This looks like it would be at most a few hours' work to change, and it would enable creation of extensions for the built-in languages that can be loaded with the same permissions as before. It would not do anything towards allowing non-superusers to load languages that aren't listed in pg_pltemplate, but it doesn't make things any worse for non-core languages either: they can make extensions that are superuser-loadable, which is the same permissions situation they are in now. Comments? regards, tom lane
pgsql-hackers by date: