Re: Extension security improvement: Add support for extensions with an owned schema
Jelte Fennema-Nio <postgres@jeltef.nl>
From: "Jelte Fennema-Nio" <postgres@jeltef.nl>
To: "Robert Haas" <robertmhaas@gmail.com>
Cc: "Artem Gavrilov" <artem.gavrilov@percona.com>, "Jelte Fennema-Nio"
<me@jeltef.nl>, "Tomas Vondra" <tomas@vondra.me>, "David G. Johnston"
<david.g.johnston@gmail.com>, "Jeff Davis" <pgsql@j-davis.com>,
"PostgreSQL-development" <pgsql-hackers@postgresql.org>
Date: 2025-09-01T14:44:41Z
Lists: pgsql-hackers
Attachments
- v6-0001-Add-support-for-extensions-with-an-owned-schema.patch (text/x-patch) patch v6-0001
On Mon Aug 11, 2025 at 9:23 PM CEST, Robert Haas wrote: > On Mon, Aug 11, 2025 at 1:55 PM Robert Haas <robertmhaas@gmail.com> wrote: >> [ some review ] Attached is a patch that addresses your comments I think. I restructured the schema creation code, and added more comments to the AlterExtensionNamespace code (I couldn't find a way to make the structure clearer). > Another thing that's occurring to me here is that nothing prevents > other objects from making their way into the owned schema. Sure, if we > create a new schema with nobody having any permissions, then only the > creating role or some role that has its privileges can add anything in > there. But that could happen by accident, or privileges could later be > granted and somebody could add something into the extension schema > after that. I wonder whether we should lock this down tighter somehow > and altogether forbid creating objects in that schema except from an > extension create/upgrade script for the owning extension. I think that's an interesting idea, and I started with a change to try this out, that I intend to finish soon. It doesn't seem strictly necessary, though.