Re: Question: CREATE EXTENSION and create schema permission?
Kohei KaiGai <kaigai@kaigai.gr.jp>
From: Kohei KaiGai <kaigai@kaigai.gr.jp>
To: Dimitri Fontaine <dimitri@2ndquadrant.fr>
Cc: PgHacker <pgsql-hackers@postgresql.org>
Date: 2011-08-22T09:14:45Z
Lists: pgsql-hackers
Attachments
- pgsql-create-extension-permission-checks.patch (application/octet-stream)
The attached patch adds permission check at the scenario that I explained bellow. Unlike CreateSchemaCommand(), we don't have check_is_member_of_role() here because the extowner is obviously same with the current user in this code path. I hope this patch being also back ported to v9.1 tree, not only v9.2 development. Thanks, 2011/8/21 Dimitri Fontaine <dimitri@2ndquadrant.fr>: > Kohei KaiGai <kaigai@kaigai.gr.jp> writes: >> The current implementation set the current user as owner of the new schema. >> The default permission check of schema allows owner to create several kinds >> of underlying objects. >> >> In the result, we may consider a scenario that a user without permissions to >> create new objects possibly get a schema created by CREATE EXTENSION >> that allows him to create new objects (such as table, function, ...). >> >> I don't think it is a desirable behavior. :-( > > Agreed, > -- > Dimitri Fontaine > http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support > -- KaiGai Kohei <kaigai@kaigai.gr.jp>