Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ugInz-000xYS-PF for pgsql-hackers@arkaria.postgresql.org; Mon, 28 Jul 2025 08:01:57 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ugIny-005pUt-Lg for pgsql-hackers@arkaria.postgresql.org; Mon, 28 Jul 2025 08:01:54 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ugIny-005pUk-8I for pgsql-hackers@lists.postgresql.org; Mon, 28 Jul 2025 08:01:54 +0000 Received: from mail-lf1-x12a.google.com ([2a00:1450:4864:20::12a]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1ugInu-001GKi-33 for pgsql-hackers@postgresql.org; Mon, 28 Jul 2025 08:01:53 +0000 Received: by mail-lf1-x12a.google.com with SMTP id 2adb3069b0e04-55516abe02cso5201115e87.0 for ; Mon, 28 Jul 2025 01:01:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jeltef.nl; s=google; t=1753689710; x=1754294510; darn=postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=KFUouhOy8sveyPx/F7tdHfbSyQpSkAwcsJSR57SMvvI=; b=onyKDXE8rcXwwRKQIfT/OFmlGINRA9zABLgFkkykDf0lwf0TmfxezApTgO30QUdJ0T OqS398eR1Rjm1vCZUQlmMWZclRFQlLIXY3izcr558XkuJbd1mLGPi3QRX4KzcX9YsvpE Nfq2I2OmMMX3yLO3CXqvqWZR91VeIAjeJKQnNQ6kSMI9lqa/QT3XoPFgX8hleX1Qv+HM wxgLwc5L5QnRse4xKVEBZ7NessuOHrADbwCG8j72emGZrX+yt07NX1ccO9Tk5UzaqtBF 1o3WrWsfB5VAS7fiDuOHhB9s2dL2rSIzaT0b9Cqkk3LQdHFRKKUDc1zqgzIegFK//JgO qx7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1753689710; x=1754294510; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KFUouhOy8sveyPx/F7tdHfbSyQpSkAwcsJSR57SMvvI=; b=NADokJJvmpqxpxGWsapdq8LY/tjO4ASqC9xO8FK8+8OGpu86YU9s1/g+rH6ppl0MGY UxbKZO8O/3bJxFXLcQ+Q48i1iFfBmDjzwDyIZJiEoswGgHQFzBaLLojNKKKO7SAwIJUh 4ey9gi15aFTOkZYJ3Jz1rceuVFx0SAehuwXvNeVhn1pedeN0lleyY8vW3S4CCRE9ZkrI PsEiemVeHOlqlipDcdZc/LrUvdyMQYMMzSKum4aJ2RfCA3b/LOAeoDYyZvlEahw91Qbo FEn+iONKWK3j6ew3+crwjSRD9zqaXQgnnO5zn6TpM49RBmgqj5YKhDjDy739VtXH0nKL X5yg== X-Forwarded-Encrypted: i=1; AJvYcCWRPgw6z8ogRw0T7UwxMQtKCTY9Lx9Mh382wnXxbN+buYQj4EJ9sx9xiXiXXpSkylMcTa9F9N2nLWtsMcC3@postgresql.org X-Gm-Message-State: AOJu0Yxdaqs68bKWx/LzhxO8J1cQry2hZ8FSDfnW3mRnSbsO+6MRxRdS AQZuhcb/n4taPk3EJCgytSyLEVwzKsZHa/TzwJV0E2pJi5hG4YTmoLwRxCWGCzcif9TSUI4HsCL Zyskc2QuzT757YZxm3LuGSWuB0bCDHmUor2hzfjXUhg== X-Gm-Gg: ASbGncsVQz3BY/CiFI5LC6I7EkJWayvsBRyWuJVxYrwUnnUx4Ffeaprc0YX75KxXEcV 1xbLJCaCratFDN6WMGeCIXZ+z4+HUGUrjkaky8pX+eE5IA6cmMo8IB2jrEQMryZsG9ylBh2NT9w 8RzRN+ZB/q3zxeBS0Yc0QZgI3uQmadesXsdcLaRe8N8MRviy1pKhTkP/jpEdma8w8rqrQ+kTNbO h5RFDof X-Google-Smtp-Source: AGHT+IFmiZ3DNgYe7x3zVA+cMKqRda8ySx4cUiaP0ceOjm1dU2QreWJ1hh1SBvr8YL3M+4ZhJhgwLK+eAERVY55RyEM= X-Received: by 2002:a05:6512:4028:b0:558:f939:4435 with SMTP id 2adb3069b0e04-55b558b8ed8mr4450802e87.13.1753689710202; Mon, 28 Jul 2025 01:01:50 -0700 (PDT) MIME-Version: 1.0 References: <585e996c-a5c6-4e61-acc4-d92b7a1458ea@vondra.me> In-Reply-To: From: Jelte Fennema-Nio Date: Mon, 28 Jul 2025 10:01:38 +0200 X-Gm-Features: Ac12FXxrb2RvzvjhXAwVhyZLxg6Sg3ybmJJxr6urBSQFZIV1qKWlHRHVo2rqcaE Message-ID: Subject: Re: Extension security improvement: Add support for extensions with an owned schema To: Sadeq Dousti Cc: Tomas Vondra , "David G. Johnston" , Jeff Davis , PostgreSQL-development , "David E. Wheeler" , Artem Gavrilov Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, 28 Jul 2025 at 00:03, Sadeq Dousti wrote: > (a) The patch affects DROP EXTENSION in that it drops the schema as well,= if it's owned by the extension. This needs to be mentioned in the document= ation. In addition, an extra confirmation (e.g., "This will drop schema nnn= n as well, do you wish to continue?") when dropping the extension might be = desired, as the extension schema could contain user data (e.g., pg_cron kee= ps the jobs and their execution details). This is already covered by docs for DROP EXTENSION: "Dropping an extension causes its member objects to be dropped as we= ll. An extra confirmation or requiring of CASCADE seems unnecessary. The schema itself will not contain user objects (that's entirely the point of this change). It indeed might contain tables from the extension, that contain user data, but that's no difference from extension creating tables in other schemas. The only thing that will additionally get removed for owned_schema extensions is the empty schema that contained all of the other objects, that would normally be removed. > (b) From the patch description: > > Writing the sql migration scripts that are run by CREATE EXTENSION > > and ALTER EXTENSION UPDATE are security minefields for extension author= s. > > While "ALTER EXTENSION UPDATE" is mentioned as a minefield, the patch doe= s not fix it (only ALTER EXTENSION ... SET SCHEMA is affected AFAICS). A po= ssible remedy could be that, before the update, the extension makes sure no= (sensitive?) object (e.g., UDF/Operator) created by a non-superuser exists= in its schema. The whole security issue comes from the fact that the schema that an extension gets installed in might be owned by a low-privileged user. By having the schema be created by (and thus be owned by) the extension creator, this whole problem goes away. > (c) Does it make sense to add the "owned_schema" option to the CREATE EXT= ENSION command? Something like: > > CREATE EXTENSION xyz > WITH owned_schema=3Dtrue I don't think that's a good idea. Since the migration script behaviour can change significantly, I don't think it's safe to allow people to specify it in CREATE EXTENSION. Especially because then people would likely also be able to set it to false. > An alternative could be to have it by default true (security by default),= and if the DBA doesn't want it for whatever reason, they have to explicitl= y set it to false during CREATE EXTENSION. I think changing the default would probably be good. Extension authors can then explicitly opt-in to the less secure option if they require that. I didn't want to do that for the initial change, as this seems probably more contentious than adding a new option. > (d) As David (Wheeler) mentioned in the thread, an extension control file= can have the "requires" field, in which an extension X installation depend= s on other extensions Y & Z to be installed. I was thinking if X calls a fu= nction from Y during installation, and Y does not have owned_schema, the se= arch_path confusion attack can be transitively applied. It could make sense= that X refuses to install, unless both Y & Z (=3D all required extensions)= are marked as owned_schema=3Dtrue. Although in favor of backwards compatib= ility, this can be overridable by an option in CREATE EXTENSION, such as "W= ITH transitive_owned_schema=3Dfalse". I think it's fine to depend on extensions without owned_schema as an owned_schema extension. It's not as if it's impossible to write safe extension scripts now, it's just quite hard. An extension author can choose to use owned_schema, to make their own life easier when writing those scripts, but they can still depend on a perfectly safe extension that did not use owned_schema but correctly hardened its extension migration scripts.