Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1ulY8h-002TVp-Ha
	for pgsql-hackers@arkaria.postgresql.org; Mon, 11 Aug 2025 19:24:59 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1ulY7h-003JAy-SA
	for pgsql-hackers@arkaria.postgresql.org; Mon, 11 Aug 2025 19:23:58 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <robertmhaas@gmail.com>)
	id 1ulY7h-003JAq-IZ
	for pgsql-hackers@lists.postgresql.org; Mon, 11 Aug 2025 19:23:57 +0000
Received: from mail-ej1-x62b.google.com ([2a00:1450:4864:20::62b])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <robertmhaas@gmail.com>)
	id 1ulY7f-0004gN-0f
	for pgsql-hackers@postgresql.org;
	Mon, 11 Aug 2025 19:23:57 +0000
Received: by mail-ej1-x62b.google.com with SMTP id
 a640c23a62f3a-af925cbd73aso905478666b.1
        for <pgsql-hackers@postgresql.org>;
 Mon, 11 Aug 2025 12:23:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1754940234; x=1755545034;
 darn=postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=F3eVfTiIPZO4jUm4PAP1Z074fRvEntmfdXy2mbV3b6Y=;
        b=bnK6CY5LyYFoHjxpjftylryF5kUu8BapG8aeJEIctgpdtNdxdk16cvs1tiHLk4tdce
         LZCdil/xLfHzGv+bMYuQxbpELxJmbbJxCeW4gyhrbzhpNWeSS/tzBfm3pekdcw4k1JNX
         9pAn7g+DsrP1tbgS9xgnXrxfAIvQWvMpA4I3mN2tcEjS550oHUyU+tp3BVaC5p7un3Hr
         2Q1jT7vEmoZju/0bITHXtV3jREXLO7JzPBbv+sZhuSeopwViIneKiLQ67iYeUEGynsST
         aNjx0bxXBUWHwpWx8ZuemRQx0rl2uKezdYpUTYK9DWQDwCD80/igmWS1+ut8Ha18YIPv
         6yFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1754940234; x=1755545034;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=F3eVfTiIPZO4jUm4PAP1Z074fRvEntmfdXy2mbV3b6Y=;
        b=p1YQkyE72mFMrBOCnvCPcehdF4ou9tuNClDt86QEj0G0MFoVif+60H6UUBDbO+NpqR
         MT7PDhAlB/Vdex+EhHG2YoNAocvFNY/hwGl+sSOxD/0bg9pxdUeaXjpvrR+Zrf7223AZ
         gwrI8uLlQ9D67Vyu7pvtGbUEwxXtj+UVxog6oQFAKKVH49/nd/VeQALUiJg3HoVc0y0s
         cLWP7rXzG0bD2KF+SqYD6d+R6mm2jCwzlrH2AqOKMrrQHCg9G0dwj+FX7XZURYuGHgmr
         u1K2I1/ZZOi1BG0WnylpvOfXhRCxJck9KQkEBwImp0+2h+Scbzkr4VUFkzlK9A1A4Tmy
         sPHQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCUzDVhYAl9ZdLS6F3Dc+kQ8ReGEwPWXDMAVwHgNcnGCafzjVBztyboMJjRp+by5K/QnS7AmhxFiutepdyx3@postgresql.org
X-Gm-Message-State: AOJu0YwRx1ctdJAOBVT4f9JeJvP+n1OTSLNHoOwqfi5PURK8eJpY0ElN
	GYSM0XUt3Z0QVkzlSyERPKjc+ElY59cxjbpBp9fDg4EpyM4KIIEAD09gXghNzolN98vs7ZnH9m6
	uhaDSFuhGfWbdZltQirottcuipKG1/NE=
X-Gm-Gg: ASbGncv9Dufn30d4laxtyvK2YN3LWfhkKd3r9cehk+8uHRrfQUzVdTnUr9sExbABzUy
	fl3JkkEXdBdekRr5sRWl9WIJpbjltuX9ChnUZrbtprqCyb0EyCNt0WqjDKNWrw82+r/tpbgYRSv
	niuzmhiAWI9JQJCeJeh7dVrUUIZ2xroCZ0sre5WvQvtMZU95lFFND6wIJcNIz+VenG8vI5ai2lG
	Or2ZE+0
X-Google-Smtp-Source: 
 AGHT+IEUpOHzT3W19OpM+CBzONrAXPi7djb7mFdTuxLRYun1oBqwKnrsHItPuVF33sexr9K3RuEmhR8uOOD4pMY15To=
X-Received: by 2002:a17:906:fd85:b0:af9:b4e9:8680 with SMTP id
 a640c23a62f3a-afa1e17dbe5mr53802966b.28.1754940233977; Mon, 11 Aug 2025
 12:23:53 -0700 (PDT)
MIME-Version: 1.0
References: 
 <CAGECzQQzDqDzakBkR71ZkQ1N1ffTjAaruRSqppQAKu3WF+6rNQ@mail.gmail.com>
 <dbd3cc5a5edde04941c8624dde7e4bd2a063f366.camel@j-davis.com>
 <CAGECzQTe3y6xwP9aMbFBCxKnQEEn3G3=cEDqoD5xaOwPwypd_A@mail.gmail.com>
 <CAGECzQTAgtTp3G=Em3xEY=T=uiKfyu5xLYri9By=sfNBS5C_9A@mail.gmail.com>
 <CAKFQuwaT4_n=e0YKBZAyox1CQUra2ka0cySs+3pGZR5p50pn-g@mail.gmail.com>
 <CAGECzQTOJrnnJkmMe9nems0jouiKUbFcEb1rb9kE_svsAZiGQg@mail.gmail.com>
 <585e996c-a5c6-4e61-acc4-d92b7a1458ea@vondra.me>
 <CAGECzQS02M6YPDXemo36tShO-ZYObjqnyTJyVttua1PGyN4xRw@mail.gmail.com>
 <CAFPkQKzALOTTBrhj2qDHwVxZQyjF5Xg_P9M=Tn_Dcm3vr=xdTA@mail.gmail.com>
 <DBOFQN54M5FX.1XWJE4LKMR8XH@jeltef.nl>
 <CA+TgmoY=NO7_L=UDuoUWj-icABF-7EP=UNUXCFBYpDNFoUZmbA@mail.gmail.com>
In-Reply-To: 
 <CA+TgmoY=NO7_L=UDuoUWj-icABF-7EP=UNUXCFBYpDNFoUZmbA@mail.gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
Date: Mon, 11 Aug 2025 15:23:42 -0400
X-Gm-Features: Ac12FXyNaITpRyllRT-VSYPYDbaSqs-Wpts_thmWvvWnegJ_-9IzDNK2EKLDy78
Message-ID: 
 <CA+TgmoYDdYA1paUKtfHfx-iDdCKrL05m2OwPHz7SQ03t49f2oQ@mail.gmail.com>
Subject: Re: Extension security improvement: Add support for extensions with
 an owned schema
To: Jelte Fennema-Nio <postgres@jeltef.nl>
Cc: Artem Gavrilov <artem.gavrilov@percona.com>,
 Jelte Fennema-Nio <me@jeltef.nl>,
	Tomas Vondra <tomas@vondra.me>,
 "David G. Johnston" <david.g.johnston@gmail.com>,
	Jeff Davis <pgsql@j-davis.com>,
 PostgreSQL-development <pgsql-hackers@postgresql.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CA%2BTgmoYDdYA1paUKtfHfx-iDdCKrL05m2OwPHz7SQ03t49f2oQ%40mail.gmail.com>
Precedence: bulk

On Mon, Aug 11, 2025 at 1:55=E2=80=AFPM Robert Haas <robertmhaas@gmail.com>=
 wrote:
> [ some review ]

Another thing that's occurring to me here is that nothing prevents
other objects from making their way into the owned schema. Sure, if we
create a new schema with nobody having any permissions, then only the
creating role or some role that has its privileges can add anything in
there. But that could happen by accident, or privileges could later be
granted and somebody could add something into the extension schema
after that. I wonder whether we should lock this down tighter somehow
and altogether forbid creating objects in that schema except from an
extension create/upgrade script for the owning extension.

--=20
Robert Haas
EDB: http://www.enterprisedb.com