Re: [PATCH] New predefined role pg_manage_extensions
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Jelte Fennema-Nio <postgres@jeltef.nl>
Cc: Michael Banck <mbanck@gmx.net>,
PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-03-07T13:57:50Z
Lists: pgsql-hackers
On Fri, Jan 12, 2024 at 10:13 AM Jelte Fennema-Nio <postgres@jeltef.nl> wrote: > On Fri, 12 Jan 2024 at 15:53, Michael Banck <mbanck@gmx.net> wrote: > > I propose to add a new predefined role to Postgres, > > pg_manage_extensions. The idea is that it allows Superusers to delegate > > the rights to create, update or delete extensions to other roles, even > > if those extensions are not trusted or those users are not the database > > owner. > > I agree that extension creation is one of the main reasons people > require superuser access, and I think it would be beneficial to try to > reduce that. But I'm not sure that such a pg_manage_extensions role > would have any fewer permissions than superuser in practice. Afaik > many extensions that are not marked as trusted, are not trusted > because they would allow fairly trivial privilege escalation to > superuser if they were. I see that Jelte walked this comment back, but I think this issue needs more discussion. I'm not intrinsically against having a role like pg_execute_server_programs that allows escalation to superuser, but I don't see how it would help a cloud provider whose goal is to NOT allow administrators to escalate to superuser. What am I missing? -- Robert Haas EDB: http://www.enterprisedb.com
Commits
-
Apply quotes more consistently to GUC names in logs
- 8d9978a7176a 17.0 cited