The new CREATE OPERATOR CLASS command will presently let you create an
index opclass if you own the datatype the class is for. With the
recent emphasis on security I'm thinking that this is not an adequate
permission check. We don't have any reasonable way of checking that
the provided set of operators and support functions meet the
expectations of the index AM and are mutually consistent. This means
it's not at all difficult to make an index opclass that will crash
the backend when used.
I'm inclined to require superuser permissions to do CREATE OPERATOR
CLASS. This would not be a loss of functionality compared to prior
releases, since the old way of creating an opclass involved manual
insertions into system catalogs, also a superuser-only thing.
Comments?
regards, tom lane
