Re: Extension security improvement: Add support for extensions with an owned schema

Jelte Fennema-Nio <me@jeltef.nl>

From: "Jelte Fennema-Nio" <me@jeltef.nl>
To: "Robert Haas" <robertmhaas@gmail.com>
Cc: "Julien Rouhaud" <rjuju123@gmail.com>, "Artem Gavrilov" <artem.gavrilov@percona.com>, "Tomas Vondra" <tomas@vondra.me>, "David G. Johnston" <david.g.johnston@gmail.com>, "Jeff Davis" <pgsql@j-davis.com>, "PostgreSQL-development" <pgsql-hackers@postgresql.org>
Date: 2026-02-10T23:19:39Z
Lists: pgsql-hackers

Attachments

On Thu, 11 Sept 2025 at 16:52, Robert Haas <robertmhaas@gmail.com> wrote:
> OK. Perhaps that needs some associated tests?

Added now in v8, as well as a bunch of other tests. Including a test for
trusted extensions, and a fix so that for trusted extensions the owned
schema is owned by the bootstrap superuser. Changes made since v7 can be
found in nocfbot.changes.diff.

> To be honest, I'm kind of leaning at this point toward saying we
> shouldn't impose any special restrictions here. If the DROP doesn't
> cascade, then the worst thing that can happen is that you make it hard
> for yourself to drop your own extension cleanly. I think letting the
> superuser and the schema owner do things and other people not is too
> weird -- it basically boils down to ignoring GRANT sometimes, and I
> think users will find it confusing.

I agree. I kept it like that.