Home > mailing lists

Re: Extension security improvement: Add support for extensions with an owned schema - Mailing list pgsql-hackers

From	Jelte Fennema-Nio
Subject	Re: Extension security improvement: Add support for extensions with an owned schema
Date	September 2 10:37:31
Msg-id	CAGECzQS9JqWv+zJR-e-1JMH7GhCnLc4vD9H-uEui8E5Ba9Trpw@mail.gmail.com Whole thread Raw
In response to	Re: Extension security improvement: Add support for extensions with an owned schema (Julien Rouhaud <rjuju123@gmail.com>)
Responses	Re: Extension security improvement: Add support for extensions with an owned schema
List	pgsql-hackers

Tree view

On Tue, 2 Sept 2025 at 02:03, Julien Rouhaud <rjuju123@gmail.com> wrote:
> One not too uncommon scenario is an extension in a dedicated schema that creates additional objects dynamically, for
instancecreating new partitions using triggers on one of the extension table.
 

Interesting. I didn't know there were extensions that did that. That
definitely doesn't seem like a very common pattern though.

But I don't think that's a problem for this idea. In the
implementation I'm working on, superuser would still be allowed to
create objects in such locked down owned schemas. So as long as the
extension upgrades its permissions to superuser during these DDLs it
should still be fine. (easy to do with SECURITY DEFINER or by
temporarily changing permissions from C)

pgsql-hackers by date:

From: Yugo Nagata
Date: 02 September, 10:33:41
Subject: Re: Allow to collect statistics on virtual generated columns

From: Yura Sokolov
Date: 02 September, 10:37:59
Subject: Re: LISTEN/NOTIFY bug: VACUUM sets frozenxid past a xid in async queue

Re: Extension security improvement: Add support for extensions with an owned schema - Mailing list pgsql-hackers

Previous

Next