Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1uwgwJ-006JY6-Bb
	for pgsql-hackers@arkaria.postgresql.org; Thu, 11 Sep 2025 13:02:15 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1uwgwH-007QMC-Cg
	for pgsql-hackers@arkaria.postgresql.org; Thu, 11 Sep 2025 13:02:13 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <robertmhaas@gmail.com>)
	id 1uwgwH-007QM3-2v
	for pgsql-hackers@lists.postgresql.org; Thu, 11 Sep 2025 13:02:13 +0000
Received: from mail-ej1-x62e.google.com ([2a00:1450:4864:20::62e])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <robertmhaas@gmail.com>)
	id 1uwgwF-001qP7-2X
	for pgsql-hackers@postgresql.org;
	Thu, 11 Sep 2025 13:02:12 +0000
Received: by mail-ej1-x62e.google.com with SMTP id
 a640c23a62f3a-b0785be64f5so313123166b.1
        for <pgsql-hackers@postgresql.org>;
 Thu, 11 Sep 2025 06:02:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1757595730; x=1758200530;
 darn=postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=rqQbOdjILP1y0C4GhlhuIwdBfL0GWW8EmcKGRgLyEUo=;
        b=gAxfImf5i1k/kww6OYZHKsbTPEmLgpho1/JVtym0YXjpo/feRi0ZohHBw/iv7CrNN6
         fkNAHtMNtCR0NMcvJLhc17SX2m6/HyrUH75X2F8mdwGQxqDY+6YyeuZNNHU4sRWQfuwM
         /uPyVvIYjhajcRu/7869x/JqMcKdbMpD7QVrgxoRbdcg3zOvi/njFirgh9a0I10bscgn
         gLWZUpjt7B7VqOgTzuC32httmOL4IKVGrDP35wa97GFu9m/T7lVIF278ZMxTVnqyggbw
         j0GMAl4s5HJuld4BGW0iMWRbSaFHdwwVQXM4WNqyIA+hnm8DiLMoQKfESHhurOnQUSFb
         q4Nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1757595730; x=1758200530;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=rqQbOdjILP1y0C4GhlhuIwdBfL0GWW8EmcKGRgLyEUo=;
        b=OEiFh6Xj9AkkBH8FSo/mydZUSnjSC923GisqTrV3tus9Uu3zEJc4QDJnLaGNOGnqpK
         21i6m8kZiYpw69MLl9JOpjMmVcRK+Zk8k6QfH+sA1epZpx0Sf1bZheZSsa3BGDAMFNJk
         U4mPplFi5GXch6wln/ETuNfpNQnGZlXqNhCoA3wEOwOnkvszak8IwXmB1LA7hBfAukz5
         fdESYqPHjoAqDr2aH+Vl4DLdgXBXq394A7TjVKaHnumi9oV2xAKCH3PgBqeVZcNbhSz6
         sDwGKlcPBNmaSCZ0gI+lJBf3ig1A0uJ/ld6Rhb9L4NcMjwGj19124MCi8d3AGQx7l+Zv
         N82w==
X-Forwarded-Encrypted: i=1;
 AJvYcCWMNOe5Mj0xr64fNuviEhkG0bHRr1i9NiKK6fg4aQLB1CZxGbwxpgYK9OZC7UQrP1eOder3G/Fx4pR5nT7u@postgresql.org
X-Gm-Message-State: AOJu0YxVxzV/xSIoEybPcttREbosjp/cQch4Y/B6DRvm63Pwf7awC8Mu
	BAlQ/IoSt/a6JdSmwiqkI3C+5q/xE221lcGvwsw41TybZldVYAzIVp3O+HwNYXMrNIALC0Qkro9
	oHyfcMpo0aiUGnDB6GRkLWwC9wP7XOmU=
X-Gm-Gg: ASbGncvt/CgqljMhdhSGE+H9GDPSWKvqh0rBiLp9GR1q6VQEjpXS8N/sGSS4Pi3lhPK
	qnuZgFcu59LmB1/jB+jQK/8bgXsmvOTFGfmk9l5pRsWTv3/8YVQ83Qrt2hKpNDPMLI1pkcHSFN5
	DnmKLstj5HlQcpBZyzrsCt6qMCc52AKjJBrGMX3feo426s8d8Vt3cWaQBHRp3Yg4oz/jpAXkCdu
	HRCxLe6MQ==
X-Google-Smtp-Source: 
 AGHT+IEAtfPBlRzCEkRRzLXRTmL+PvWwCuTrVu0ylmYTQ2S2u+LGYZ7KKJ+qTQ05ybuZ6tt7PeZJbBYXyilvVgVUn6k=
X-Received: by 2002:a17:907:7e84:b0:afe:91ca:7489 with SMTP id
 a640c23a62f3a-b07a6405cf9mr367123366b.29.1757595729877; Thu, 11 Sep 2025
 06:02:09 -0700 (PDT)
MIME-Version: 1.0
References: <585e996c-a5c6-4e61-acc4-d92b7a1458ea@vondra.me>
 <CAGECzQS02M6YPDXemo36tShO-ZYObjqnyTJyVttua1PGyN4xRw@mail.gmail.com>
 <CAFPkQKzALOTTBrhj2qDHwVxZQyjF5Xg_P9M=Tn_Dcm3vr=xdTA@mail.gmail.com>
 <DBOFQN54M5FX.1XWJE4LKMR8XH@jeltef.nl>
 <CA+TgmoY=NO7_L=UDuoUWj-icABF-7EP=UNUXCFBYpDNFoUZmbA@mail.gmail.com>
 <CA+TgmoYDdYA1paUKtfHfx-iDdCKrL05m2OwPHz7SQ03t49f2oQ@mail.gmail.com>
 <CAOBaU_YTJwo=jevDDKXRjwFUqON2VoWqz=Aw0FedyxbfYSiisw@mail.gmail.com>
 <CAGECzQS9JqWv+zJR-e-1JMH7GhCnLc4vD9H-uEui8E5Ba9Trpw@mail.gmail.com>
 <aLaysb-v12hPW22V@jrouhaud>
 <CA+TgmoawwAoRZH2Hm8w-RP1QOebK9LQ=NzeJWWAz+pYhSQPT0g@mail.gmail.com>
 <aLt9f7u_jUnMgGOe@jrouhaud>
 <CAGECzQR8gnJ92R2joimAfg6VX_VZO2Dy2n2gG-Ozr3zQ7evmSA@mail.gmail.com>
In-Reply-To: 
 <CAGECzQR8gnJ92R2joimAfg6VX_VZO2Dy2n2gG-Ozr3zQ7evmSA@mail.gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
Date: Thu, 11 Sep 2025 09:01:51 -0400
X-Gm-Features: Ac12FXwqfOXxHSlbG9KyH99hc1hxdcxOXD83SWa3cS2X7tJ2CdL4yDXdxshbVQI
Message-ID: 
 <CA+TgmoY0zKz-mkXjkRUd-vNT4sp+=j5aJKd6er9WgOH9Q0Qriw@mail.gmail.com>
Subject: Re: Extension security improvement: Add support for extensions with
 an owned schema
To: Jelte Fennema-Nio <me@jeltef.nl>
Cc: Julien Rouhaud <rjuju123@gmail.com>,
 Artem Gavrilov <artem.gavrilov@percona.com>,
	Tomas Vondra <tomas@vondra.me>,
 "David G. Johnston" <david.g.johnston@gmail.com>,
	Jeff Davis <pgsql@j-davis.com>,
 PostgreSQL-development <pgsql-hackers@postgresql.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CA%2BTgmoY0zKz-mkXjkRUd-vNT4sp%2B%3Dj5aJKd6er9WgOH9Q0Qriw%40mail.gmail.com>
Precedence: bulk

On Sat, Sep 6, 2025 at 3:35=E2=80=AFAM Jelte Fennema-Nio <me@jeltef.nl> wro=
te:
> I think that sounds like reasonable change to Roberts initial
> proposal: Allowing the schema owner and superusers to add objects in
> the schema, but disallow all other users (even if they have CREATE
> privileges on the schema).

I don't know, I'm not really convinced. I feel like this isn't really
a security issue but more of a could-be-an-unpleasant-surprise issue.
What the patch does (IIRC) is make it so that dropping the extension
just cascade-drops the schema. If the schema contains anything
unrelated to the extension, that's going to remove stuff that it
shouldn't remove. In Julien's examples, the other stuff that gets
introduced into the schema is logically part of the extension even if
it doesn't formally have membership in the extension, but somebody
could equally well just install an unrelated extension in the same
schema and then drop the first extension and, whoops.

--=20
Robert Haas
EDB: http://www.enterprisedb.com