Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1uunSI-0002cj-CU
	for pgsql-hackers@arkaria.postgresql.org; Sat, 06 Sep 2025 07:35:28 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1uunSH-00D0Ch-HO
	for pgsql-hackers@arkaria.postgresql.org; Sat, 06 Sep 2025 07:35:25 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <me@jeltef.nl>)
	id 1uunSH-00D0Ao-5h
	for pgsql-hackers@lists.postgresql.org; Sat, 06 Sep 2025 07:35:25 +0000
Received: from mail-lj1-x236.google.com ([2a00:1450:4864:20::236])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <me@jeltef.nl>)
	id 1uunSD-000qWp-2R
	for pgsql-hackers@postgresql.org;
	Sat, 06 Sep 2025 07:35:24 +0000
Received: by mail-lj1-x236.google.com with SMTP id
 38308e7fff4ca-337f6cdaf2cso21791071fa.2
        for <pgsql-hackers@postgresql.org>;
 Sat, 06 Sep 2025 00:35:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=jeltef.nl; s=google; t=1757144122; x=1757748922;
 darn=postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=FCXLEtI+Nk9nibi/Syuv9kQWw9J70MCH9IoW+Ni9w2g=;
        b=rAHRxXJYSBbuuaS2iFJLOivF2cizJ6ncoaNsiULeUELxFBaMOkwyZ+XB3GyzXaVYg6
         Ds80OPYCKwBtZ+UAJvGdIKWGnLu8e8kW5c9NhzSzC2zSx9pMaRM8gML2m1bZ5AmHatBF
         mu4qB8hzuMENPy6SndI05wLFlurUrluNKla+jIJoJW8Ti49kxnMyrYVokxOoWyQZ7O1W
         nfk9L/suwKJV9YEKCbvo797YnVG6luPWtfJPZVb45CDoqNMqDxbHLir5Szj6CEe3VllO
         H3ZAF3hQp+rkmtYeTiNBPZ9igRWkF1wsTb6xQ6KHoN9gGhFL1wBIpd7z9uH79sonrST6
         H0Rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1757144122; x=1757748922;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=FCXLEtI+Nk9nibi/Syuv9kQWw9J70MCH9IoW+Ni9w2g=;
        b=rQiqzzXcMsYuz/nWOHaUQI/VyILth3ABinI+YDEF2X4Rn3nKRE3OxLQjaDnpn0jaW3
         R+xZuEHhEPOAMQzBq+Fot/gSswDPIi1sEKh4SHyvWmauMuiL4uV/q8tow38Y34RTVCid
         eKVXOoQx6dcNM/ig9Mj2fTEBb5//U0JTKlsLufQvybAs2Z5zrMsdtX2wKGU8e54oHGbO
         V6TBBQxr0GE9tlotnyTHszVJtdtLW27nUos0XEP3tnHy7hyTWbC4BE+Zk4ayVh6cVmTp
         KdSKZAXxNUyR8RTaSsvoy0ho5IbsYY0RGt/E87ZN9vqtg8Xj1u6Mhc1gV378H3n8abcl
         lwSg==
X-Forwarded-Encrypted: i=1;
 AJvYcCU71kWhnRipaBgK2lVxMZH6SpSCQIymJ4NqkyCyghaLeE7zmNJCZjKlWzIFz4CJZkzDvFf4e/8opnyaFYSp@postgresql.org
X-Gm-Message-State: AOJu0YyW3vgF4K1qso7XOLK+mSZWdLu7Y+i3syO5JIt1RAuAaN2fOZng
	Lp/R3kh5nme0QmD9GXHf0E4JfCV529N/Zr5I/3byKxf6xARefdjH2XcPO9MvtG3QufR0GlppG6v
	X4WGh11DDLnlj3EX4qLwrElHO558DFkD45y0n2HTjqA==
X-Gm-Gg: ASbGncu3dH8yPNpkAek3uXPZ+LaSYfKvqnFtHLr059UJGhuL/Odb1Q7goszXWHO/g+V
	sb7PwVwLAmXhM/irGO7x1ZmYowQKVRcaw09SMNetSAgYwmd6lESWQyGdVOydRPu7W6bCFGHjF+W
	sf7wngRfA6aQrhwSd9Z7AVHVY/Hnswe3IRm80MIZ1iiX0/3Wg3NtqeB2kJzjStmQJVtipOFsNXj
	Ms2aezj
X-Google-Smtp-Source: 
 AGHT+IFxMh27mKeD/Z4ysjTs2qo2xIpbcIlRejOguTdttLsF7ghlfgZd/+RXE0/73shfPVpVAMyMA3PhuBhwpqlV5dQ=
X-Received: by 2002:a05:651c:50f:b0:337:e585:8082 with SMTP id
 38308e7fff4ca-33b56ad97d3mr3631331fa.22.1757144121677; Sat, 06 Sep 2025
 00:35:21 -0700 (PDT)
MIME-Version: 1.0
References: <585e996c-a5c6-4e61-acc4-d92b7a1458ea@vondra.me>
 <CAGECzQS02M6YPDXemo36tShO-ZYObjqnyTJyVttua1PGyN4xRw@mail.gmail.com>
 <CAFPkQKzALOTTBrhj2qDHwVxZQyjF5Xg_P9M=Tn_Dcm3vr=xdTA@mail.gmail.com>
 <DBOFQN54M5FX.1XWJE4LKMR8XH@jeltef.nl>
 <CA+TgmoY=NO7_L=UDuoUWj-icABF-7EP=UNUXCFBYpDNFoUZmbA@mail.gmail.com>
 <CA+TgmoYDdYA1paUKtfHfx-iDdCKrL05m2OwPHz7SQ03t49f2oQ@mail.gmail.com>
 <CAOBaU_YTJwo=jevDDKXRjwFUqON2VoWqz=Aw0FedyxbfYSiisw@mail.gmail.com>
 <CAGECzQS9JqWv+zJR-e-1JMH7GhCnLc4vD9H-uEui8E5Ba9Trpw@mail.gmail.com>
 <aLaysb-v12hPW22V@jrouhaud>
 <CA+TgmoawwAoRZH2Hm8w-RP1QOebK9LQ=NzeJWWAz+pYhSQPT0g@mail.gmail.com>
 <aLt9f7u_jUnMgGOe@jrouhaud>
In-Reply-To: <aLt9f7u_jUnMgGOe@jrouhaud>
From: Jelte Fennema-Nio <me@jeltef.nl>
Date: Sat, 6 Sep 2025 09:35:10 +0200
X-Gm-Features: Ac12FXxxfTDYHxLc3yEjEpR55dUEbmCLeQDQz1uuvB80VbcLymUcCWvq3gdTYeM
Message-ID: 
 <CAGECzQR8gnJ92R2joimAfg6VX_VZO2Dy2n2gG-Ozr3zQ7evmSA@mail.gmail.com>
Subject: Re: Extension security improvement: Add support for extensions with
 an owned schema
To: Julien Rouhaud <rjuju123@gmail.com>
Cc: Robert Haas <robertmhaas@gmail.com>,
 Artem Gavrilov <artem.gavrilov@percona.com>,
	Tomas Vondra <tomas@vondra.me>,
 "David G. Johnston" <david.g.johnston@gmail.com>,
	Jeff Davis <pgsql@j-davis.com>,
 PostgreSQL-development <pgsql-hackers@postgresql.org>
Content-Type: text/plain; charset="UTF-8"
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAGECzQR8gnJ92R2joimAfg6VX_VZO2Dy2n2gG-Ozr3zQ7evmSA%40mail.gmail.com>
Precedence: bulk

On Sat, 6 Sept 2025 at 02:17, Julien Rouhaud <rjuju123@gmail.com> wrote:
> Requiring schema owner privilege wouldn't allow the user who created the
> extension to allow other users to mess up with the extension's private schema?
> At least not with a simple GRANT on the schema.

I think that sounds like reasonable change to Roberts initial
proposal: Allowing the schema owner and superusers to add objects in
the schema, but disallow all other users (even if they have CREATE
privileges on the schema).

I think this seems reasonable from a security perspective. The thing
owned_schema protects against, is accidentally executing code with
permissions of the extension script runner. The owner of the schema is
always the same user as the extension script runner. But it protects
users from the somewhat easy to make mistake of GRANT ALL ON SCHEMA
(instead of GRANT USAGE ON SCHEMA).

Note that this means that even with trusted=true, a non-superuser
extension owner would still not be able to the schema. For that
superuser=false is needed in the control file.

The only thing I'm wondering is if we should allow changing the schema
owner with ALTER SCHEMA OWNER TO. Because that would break this
assumption:
> The owner of the schema is always the same user as the extension script runner.

But that command seems unlikely to be run by accident. But on the
other hand, I don't really see a usecase for changing the schema
owner, except for breaking this protection. So I'm leaning towards
disallowing ALTER SCHEMA OWNER TO on the schema, probably even for
superusers.