Re: Extension Templates S03E11

From: Jeff Davis <pgsql(at)j-davis(dot)com>
To: Dimitri Fontaine <dimitri(at)2ndQuadrant(dot)fr>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Boszormenyi Zoltan <zb(at)cybertec(dot)at>, Thom Brown <thom(at)linux(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Extension Templates S03E11
Date: 2013-11-30 21:00:28
Message-ID: 1385845228.7500.267.camel@jdavis
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, 2013-11-27 at 18:34 +0100, Dimitri Fontaine wrote:
> The other main point that will change the current code is dealing with
> superusers and security concerns. Baring objections, I'm going to
> implement a variation of what I did propose in the thread:
>
> When a superuser CREATE EXTENSION against a template that has been
> provided by a non-privileged user, automatically SET ROLE to that user
> before doing so, avoiding escalation privileges.

That proposal is worded like a special case for superusers, and I don't
see why. If the security model is that an extension script is run with
as the template owner, then we should just do that universally. If not,
making a special case for superusers undermines the security of
powerful-but-not-superuser roles.

I haven't looked in detail at the security issues here... is this the
result of a consensus or are there still differing opinions?

> If that's not what the superuser intended, then it still is possible for
> him to ALTER TEMPLATE FOR EXTENSION … OWNER TO himself beforehand.

Doesn't sound like a clean workaround.

We already have a model for executing functions, and those are black
boxes of code as well. If we deviate too much from that, I think we're
inviting problems.

Heikki expressed some concerns here:

http://www.postgresql.org/message-id/5152FF3D.4000401@vmware.com

followed by Robert. The concerns seem mostly about the namespace,
because it's hard to be sure that "CREATE EXTENSION foo" installs the
"foo" you expect. Those are very valid practical concerns; but I agree
with Dimitri that this is not a fundamental problem, and we might find a
compromise here that can work.

One idea: if a non-superuser role creates an extension template, then it
is only visible to that exact same role.

The first version might only allow superusers to create extension
templates, but it would be nice to have a plan for non-superusers soon.

Aside: why do file-based templates shadow catalog-based templates?
Shouldn't we just throw an error if both are available at CREATE
EXTENSION time?

Also, I notice that the extension templates are not in shared catalogs;
was that discussed?

(Some of these issues seem underdocumented, as well.)

Regards,
Jeff Davis

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Eisentraut 2013-11-30 21:07:11 Re: Re: [BUGS] BUG #7873: pg_restore --clean tries to drop tables that don't exist
Previous Message Kevin Grittner 2013-11-30 20:07:11 Re: [GENERAL] pg_upgrade ?deficiency