Home > mailing lists

Re: [PATCH] New predefined role pg_manage_extensions - Mailing list pgsql-hackers

From	Jelte Fennema-Nio
Subject	Re: [PATCH] New predefined role pg_manage_extensions
Date	January 12 18:13:27
Msg-id	CAGECzQQ2HB85N9PjTAdDTpFCciQmpeE2PcXbc8EKhSF=RPi3fA@mail.gmail.com Whole thread Raw
In response to	[PATCH] New predefined role pg_manage_extensions (Michael Banck <mbanck@gmx.net>)
Responses	Re: [PATCH] New predefined role pg_manage_extensions
List	pgsql-hackers

Tree view

On Fri, 12 Jan 2024 at 15:53, Michael Banck <mbanck@gmx.net> wrote:
> I propose to add a new predefined role to Postgres,
> pg_manage_extensions. The idea is that it allows Superusers to delegate
> the rights to create, update or delete extensions to other roles, even
> if those extensions are not trusted or those users are not the database
> owner.

I agree that extension creation is one of the main reasons people
require superuser access, and I think it would be beneficial to try to
reduce that. But I'm not sure that such a pg_manage_extensions role
would have any fewer permissions than superuser in practice. Afaik
many extensions that are not marked as trusted, are not trusted
because they would allow fairly trivial privilege escalation to
superuser if they were.

pgsql-hackers by date:

From: Heikki Linnakangas
Date: 12 January, 18:12:14
Subject: Re: Stack overflow issue

From: Peter Eisentraut
Date: 12 January, 18:33:44
Subject: Re: Make all Perl warnings fatal

Re: [PATCH] New predefined role pg_manage_extensions - Mailing list pgsql-hackers

Previous

Next