Re: [PATCH] New predefined role pg_manage_extensions - Mailing list pgsql-hackers

From Jelte Fennema-Nio
Subject Re: [PATCH] New predefined role pg_manage_extensions
Date
Msg-id CAGECzQQ2HB85N9PjTAdDTpFCciQmpeE2PcXbc8EKhSF=RPi3fA@mail.gmail.com
Whole thread Raw
In response to [PATCH] New predefined role pg_manage_extensions  (Michael Banck <mbanck@gmx.net>)
Responses Re: [PATCH] New predefined role pg_manage_extensions
List pgsql-hackers
On Fri, 12 Jan 2024 at 15:53, Michael Banck <mbanck@gmx.net> wrote:
> I propose to add a new predefined role to Postgres,
> pg_manage_extensions. The idea is that it allows Superusers to delegate
> the rights to create, update or delete extensions to other roles, even
> if those extensions are not trusted or those users are not the database
> owner.

I agree that extension creation is one of the main reasons people
require superuser access, and I think it would be beneficial to try to
reduce that. But I'm not sure that such a pg_manage_extensions role
would have any fewer permissions than superuser in practice. Afaik
many extensions that are not marked as trusted, are not trusted
because they would allow fairly trivial privilege escalation to
superuser if they were.



pgsql-hackers by date:

Previous
From: Heikki Linnakangas
Date:
Subject: Re: Stack overflow issue
Next
From: Peter Eisentraut
Date:
Subject: Re: Make all Perl warnings fatal