Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1utRB4-0079Zm-Tn
	for pgsql-hackers@arkaria.postgresql.org; Tue, 02 Sep 2025 13:36:03 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1utRB3-003pJM-V0
	for pgsql-hackers@arkaria.postgresql.org; Tue, 02 Sep 2025 13:36:02 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <robertmhaas@gmail.com>)
	id 1utRB3-003pJD-J2
	for pgsql-hackers@lists.postgresql.org; Tue, 02 Sep 2025 13:36:02 +0000
Received: from mail-ej1-x631.google.com ([2a00:1450:4864:20::631])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <robertmhaas@gmail.com>)
	id 1utRB0-000BFJ-12
	for pgsql-hackers@postgresql.org;
	Tue, 02 Sep 2025 13:36:01 +0000
Received: by mail-ej1-x631.google.com with SMTP id
 a640c23a62f3a-b042cc397dcso276394066b.1
        for <pgsql-hackers@postgresql.org>;
 Tue, 02 Sep 2025 06:35:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1756820158; x=1757424958;
 darn=postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=eWoEU8MeTUKd2wQvBNV+EvEEjBDkbtkoQBpPgjB8cvY=;
        b=ZbanUMkS7vnGOmmHuNOaNjX9JEQ0WqGGwYzBWur9jK7hgCEtvGFbUji/Ed2AD3vlDo
         EMFnEJc1S65vDc72qWZ8eOGHCIP/lfEdUIfDCjqCucHXQcZmEykp6d16dPslGv0ucgyr
         sc0DiJIyMhRTzUzDllDAs0HwRgomeWbR3whMYZjAn33xnq986wBl3HCuTS3vvcc1vZHG
         KONTh+R7TEAN8LXwYleluRIz5Wr3I32ZN1szhKjIJ14MJ0TJngig/Euw/ue5HLrI3DGM
         kZzcQgidOCDP9wXHYaWHo0Vm9ogctsi9DXLQc0zZMYytdpR5BJTYPF65bn5/rwiokMj2
         aqyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1756820158; x=1757424958;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=eWoEU8MeTUKd2wQvBNV+EvEEjBDkbtkoQBpPgjB8cvY=;
        b=nOnFpfOWzR/KWcvlLxUryfu/IMlEA4x2/pr3lVLuJdmsW2I9Un+A27ssdz8MLgP1Eb
         ARrrnI5oe0w83t9aOMzWigiXOlBRwTRox4bpc/OslHGbOMoDOJvNK96XXJiGb8anEmvd
         e1P+2GX7oNkxkqyRR3oTd68RBIGag0Ctfls9wjyqL0LwyWumhGFA+q8eGnAMv+Otq8HX
         AHvZn64vhacni+yzwyhRb2o8ilp2KslmgF6qOlkWA7f23p6vTH84SgQiv96VKYxGFdYv
         fanF7yyhOG9pxbhF5Wzkn7Kyhr7NyhpXzjl1OWxvuhQxY4qcNO80JdmnjMjmQtL9H5Nu
         zlfA==
X-Forwarded-Encrypted: i=1;
 AJvYcCUWRkds+1/6yGRLbmunFbZ4WIbneUXYbmCwXp7wpW+sUZ1Tl7uV7WjO//yi8gfSbVHeQsCkxtKnqrEu1jHo@postgresql.org
X-Gm-Message-State: AOJu0Yw2COStgEaE0mYHyJKXDdGhzvgfFdsSv7aYHUfAEjf8JV3h88/D
	UCHCJxwaZnKIdf8CDJqKV4s1I8lTObCco6xEMAOiQ3DqeEDQHIxL52GPXP04zsqpmsc9Mgy7MyM
	NtZyOzuzQpg0un9/uSrD1s9C2WCVikUo=
X-Gm-Gg: ASbGncumu3swwi0XcG1Kg2NswR6s+uzWbvXLLs2t8CnFrJPy6f4T+LviQHYa4A645W1
	28u8v+4+aclWtgJ2cK7MKWwm9epFqzvW6TKHnOk+Qw81cw4Yf6X11GEI4XlCFVlpnQBiCLIgist
	IeS7ic2ZrGYzx14LajdmYcH/Qv3iGFfy8IUHlKtjcHHsW/ow0P7lQKIgGqE0USslP1MY3bOL2oq
	sgP+oeITN1hhwp2ow==
X-Google-Smtp-Source: 
 AGHT+IHjze3vV/14Gh5bxDmWmdu6sRYBuL0L0IvQQMyiL8wATxEwiIDneEagsoPrsPhBMy80ga45PryrdxWssF6K23s=
X-Received: by 2002:a17:907:6e89:b0:b04:23e0:5c2b with SMTP id
 a640c23a62f3a-b0423e072b7mr861348466b.0.1756820157844; Tue, 02 Sep 2025
 06:35:57 -0700 (PDT)
MIME-Version: 1.0
References: 
 <CAKFQuwaT4_n=e0YKBZAyox1CQUra2ka0cySs+3pGZR5p50pn-g@mail.gmail.com>
 <CAGECzQTOJrnnJkmMe9nems0jouiKUbFcEb1rb9kE_svsAZiGQg@mail.gmail.com>
 <585e996c-a5c6-4e61-acc4-d92b7a1458ea@vondra.me>
 <CAGECzQS02M6YPDXemo36tShO-ZYObjqnyTJyVttua1PGyN4xRw@mail.gmail.com>
 <CAFPkQKzALOTTBrhj2qDHwVxZQyjF5Xg_P9M=Tn_Dcm3vr=xdTA@mail.gmail.com>
 <DBOFQN54M5FX.1XWJE4LKMR8XH@jeltef.nl>
 <CA+TgmoY=NO7_L=UDuoUWj-icABF-7EP=UNUXCFBYpDNFoUZmbA@mail.gmail.com>
 <CA+TgmoYDdYA1paUKtfHfx-iDdCKrL05m2OwPHz7SQ03t49f2oQ@mail.gmail.com>
 <CAOBaU_YTJwo=jevDDKXRjwFUqON2VoWqz=Aw0FedyxbfYSiisw@mail.gmail.com>
 <CAGECzQS9JqWv+zJR-e-1JMH7GhCnLc4vD9H-uEui8E5Ba9Trpw@mail.gmail.com>
 <aLaysb-v12hPW22V@jrouhaud>
In-Reply-To: <aLaysb-v12hPW22V@jrouhaud>
From: Robert Haas <robertmhaas@gmail.com>
Date: Tue, 2 Sep 2025 09:35:45 -0400
X-Gm-Features: Ac12FXybdf7P5Lv1uiK13F1MYSlNdj_SvIqPXXZOIyQxhrLoE8uGOJWRcVkIHU0
Message-ID: 
 <CA+TgmoawwAoRZH2Hm8w-RP1QOebK9LQ=NzeJWWAz+pYhSQPT0g@mail.gmail.com>
Subject: Re: Extension security improvement: Add support for extensions with
 an owned schema
To: Julien Rouhaud <rjuju123@gmail.com>
Cc: Jelte Fennema-Nio <me@jeltef.nl>,
 Artem Gavrilov <artem.gavrilov@percona.com>,
	Tomas Vondra <tomas@vondra.me>,
 "David G. Johnston" <david.g.johnston@gmail.com>,
	Jeff Davis <pgsql@j-davis.com>,
 PostgreSQL-development <pgsql-hackers@postgresql.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CA%2BTgmoawwAoRZH2Hm8w-RP1QOebK9LQ%3DNzeJWWAz%2BpYhSQPT0g%40mail.gmail.com>
Precedence: bulk

On Tue, Sep 2, 2025 at 5:02=E2=80=AFAM Julien Rouhaud <rjuju123@gmail.com> =
wrote:
> Requiring superuser permission seems like a big penalty, especially since=
 the
> last few years have been all about *not* requiring superuser privileges. =
 Note
> also that not all extensions embeds compiled code, some are just doing pl=
ain
> plpgsql and work just fine.
>
> Why not requiring schema owner privileges?

I agree with you that requiring superuser privileges is undesirable.
However, requiring schema owner privileges isn't really requiring
anything above and beyond what the permissions system would require
anyway, since at the start, nobody else will have privileges on that
schema. And that's where what Jelte was proposing -- and also what you
propose here -- seems very accident-prone to me. It would be quite
easy for the user who created the extension, and who therefore also
owns the schema IIUC, to accidentally put other stuff there, or allow
others to do so, and that might undermine the safe search_path
guarantee that is the purpose of this patch. I am not fixed on any
particular method of making that guarantee more robust, but I am in
favor of trying to come up with some way of making it more robust.

The first thought that popped into my head was that maybe your
extension should make the objects it creates part of the extension,
but I think that doesn't actually work, because it would mean that
they would not be dumped. I think what you've got is something
intermediate between full extension membership (where installing the
extension creates the objects) and non-membership (where the objects
are created by the user and unaffiliated with the extension) but we
have no concept of that in the system today. Should we?

Another thing to consider here is what happens when somebody tries to
drop the extension. As Jelte coded it in the last version I read, it
just blows away the schema. I don't remember whether it used RESTRICT
(in which case the presence of unrelated objects in the schema would
result in failure) or CASCADE (in which case they would be silently
blown away) but I don't like either option very much. The former would
be pretty inconvenient in a use case like yours, and the latter would
be terrible if there were valuable, unrelated objects in the schema. I
think CASCADE is the right answer as long as there's something that
makes it unlikely that the schema has any unanticipated contents.

Here are a few possible ways forward:

(1) Invent, as proposed above, an intermediate level of extension
membership where objects are dropped with the extension but are still
dumped, and find a way for extensions to create objects in an owned
schema only if the new object will be either fully owned by the
extension or at least at this intermediate level.

(2) Decide that extensions that create additional objects in the
schema shouldn't use owned schemas, and document this.

(3) Add a mechanism to track when an extension-owned function is
executing, and only allow objects to be created in an extension-owned
schema when that's the case.

(4) Add a GUC that overrides the usual prohibition on creating objects
in an extension-owned schema, and let users or the extension set it if
they wish.

(5) Decide I'm wrong and that we should just let objects be created
freely in the owned schema. Document the consequences of this and
blame any problems on user error.

(6) Your superior idea goes here!

--=20
Robert Haas
EDB: http://www.enterprisedb.com