Re: Extension security improvement: Add support for extensions with an owned schema
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Jelte Fennema-Nio <me@jeltef.nl>
Cc: Julien Rouhaud <rjuju123@gmail.com>,
Artem Gavrilov <artem.gavrilov@percona.com>, Tomas Vondra <tomas@vondra.me>,
"David G. Johnston" <david.g.johnston@gmail.com>, Jeff Davis <pgsql@j-davis.com>,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2025-09-11T13:01:51Z
Lists: pgsql-hackers
On Sat, Sep 6, 2025 at 3:35 AM Jelte Fennema-Nio <me@jeltef.nl> wrote: > I think that sounds like reasonable change to Roberts initial > proposal: Allowing the schema owner and superusers to add objects in > the schema, but disallow all other users (even if they have CREATE > privileges on the schema). I don't know, I'm not really convinced. I feel like this isn't really a security issue but more of a could-be-an-unpleasant-surprise issue. What the patch does (IIRC) is make it so that dropping the extension just cascade-drops the schema. If the schema contains anything unrelated to the extension, that's going to remove stuff that it shouldn't remove. In Julien's examples, the other stuff that gets introduced into the schema is logically part of the extension even if it doesn't formally have membership in the extension, but somebody could equally well just install an unrelated extension in the same schema and then drop the first extension and, whoops. -- Robert Haas EDB: http://www.enterprisedb.com