Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1utEUf-003CeM-9q
	for pgsql-hackers@arkaria.postgresql.org; Tue, 02 Sep 2025 00:03:26 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1utEUe-001R39-GJ
	for pgsql-hackers@arkaria.postgresql.org; Tue, 02 Sep 2025 00:03:24 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <rjuju123@gmail.com>)
	id 1utEUe-001R31-3B
	for pgsql-hackers@lists.postgresql.org; Tue, 02 Sep 2025 00:03:24 +0000
Received: from mail-lf1-x12d.google.com ([2a00:1450:4864:20::12d])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <rjuju123@gmail.com>)
	id 1utEUa-0005K7-2r
	for pgsql-hackers@postgresql.org;
	Tue, 02 Sep 2025 00:03:23 +0000
Received: by mail-lf1-x12d.google.com with SMTP id
 2adb3069b0e04-55f691c9febso3645014e87.0
        for <pgsql-hackers@postgresql.org>;
 Mon, 01 Sep 2025 17:03:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1756771396; x=1757376196;
 darn=postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=u07OmZgI+YcaBdPLGtfSym6xR2EIxOI4QBaM599sG6I=;
        b=NyWmmhRWUgu91M1q4yXykzeNPcdbmye2MCUbPN1IZDm1/IJ1cpO0MFdCHymMrfuF5l
         CeAWCE2SKQVqmusAWRhsMqIqLW7yRYHDrjg52TPjdY4k8N2YFHDEWvVmgUkM5Q5508XA
         ++NLXuyNQ77jHTyACMWE7Y60+H2BX3SpkdS1+gggV7bfp3ycU2S99z8hiEND04Xgh+NQ
         n630/u7UVrFTlsJ9KBBoy6EGATYkbhSSc3g6GHpJbYN5OxKe+qFMHHVzTYmoM7sABULP
         TJYHprvoHmJc379oa2Ss4wIdP3HVCvNPJnK8tym2OECeqHh2ZiMaWeUGn4pe+/8gUOpR
         YXng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1756771396; x=1757376196;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=u07OmZgI+YcaBdPLGtfSym6xR2EIxOI4QBaM599sG6I=;
        b=Lp6eQ0OX+jg3l7uu8iy12dCVQZGSsulmgcRkwR9Id8ztd/roPbTRcPfCmQ6CLWAjYb
         JFIICgkU8OlJcuGNlXKcgeI1JyBmujNZ7BTP0z/wyLoWWxbAfgCcY5ICSIMdDFKt/98L
         fzHJ+b7QHUjxub1KX7ZWwELuLfyu0S4NrYMPTGhHQX5pwoRHW5OoAAVGLQjTqu0DyhfB
         OWA1TGQkEiNH6Il98xnRUChNNbOAc2J8MrSeDvJKLhz0Otq/EV3PjjFYkGmYxfxqJVg7
         lWoLKbAo45ku7szkKETaIwb6xbZ8AkL9qyXYJT3ds4/iIOwDqV8Hdq3enOCfXiAE+5ff
         85ig==
X-Forwarded-Encrypted: i=1;
 AJvYcCXYTAeVc699eqp1X16I4F9nBwLrDi7KDs2aPPNTXs1nV7KJkMRih7yIRC5wo0FD83wi0b8vxkdr49w9zH/j@postgresql.org
X-Gm-Message-State: AOJu0YyFLI4bjxvctoGJEpGet1CvW6riHvCJwrkOvbTZd4MI5ONjuXiA
	wgq5FRWiHMJ+X1I9UxN9hFMDGzNpiWnoEXWwsEIBz46hdbAM5mVOnhi9SlvUVKKaB5v/LcOIfsY
	Pbj2kc03krAnUfEpD0KDR/+WIEwyPIME=
X-Gm-Gg: ASbGnculXhOdly8ct6gTUjfXqhv+102PdeHGjjuP80AsjJmzwi5vKbCe6njYCJESfOW
	pKPNaKWCY01IAqDgUEItKzCZIaqVfWNaBgswrePvyqPSJk4VRJmy06UrZo0jpx1KfBinnFg0IMV
	dxf4LzdzkFa9YTZGFJoQ0NcXZvb6fnVMCgpSPICy/CO8CDMNRCivEBpBSgEdTKkCIQ+fcWOfh6D
	D0nTct5dihuz5asoQZDH5ZdwDIfn7HT/JyI+cuZKkokehEKiao=
X-Google-Smtp-Source: 
 AGHT+IHOoebhEvuvHU1TTCn7txmksXsk43iqycy75hvFhLqQy3tb/6UTaqzCkTsIpjvyoH2CBjjcxVyvEgbKzcfFb5k=
X-Received: by 2002:a05:6512:32cb:b0:55f:3bca:b161 with SMTP id
 2adb3069b0e04-55f708db526mr2767505e87.27.1756771396003; Mon, 01 Sep 2025
 17:03:16 -0700 (PDT)
MIME-Version: 1.0
References: 
 <CAGECzQQzDqDzakBkR71ZkQ1N1ffTjAaruRSqppQAKu3WF+6rNQ@mail.gmail.com>
 <dbd3cc5a5edde04941c8624dde7e4bd2a063f366.camel@j-davis.com>
 <CAGECzQTe3y6xwP9aMbFBCxKnQEEn3G3=cEDqoD5xaOwPwypd_A@mail.gmail.com>
 <CAGECzQTAgtTp3G=Em3xEY=T=uiKfyu5xLYri9By=sfNBS5C_9A@mail.gmail.com>
 <CAKFQuwaT4_n=e0YKBZAyox1CQUra2ka0cySs+3pGZR5p50pn-g@mail.gmail.com>
 <CAGECzQTOJrnnJkmMe9nems0jouiKUbFcEb1rb9kE_svsAZiGQg@mail.gmail.com>
 <585e996c-a5c6-4e61-acc4-d92b7a1458ea@vondra.me>
 <CAGECzQS02M6YPDXemo36tShO-ZYObjqnyTJyVttua1PGyN4xRw@mail.gmail.com>
 <CAFPkQKzALOTTBrhj2qDHwVxZQyjF5Xg_P9M=Tn_Dcm3vr=xdTA@mail.gmail.com>
 <DBOFQN54M5FX.1XWJE4LKMR8XH@jeltef.nl>
 <CA+TgmoY=NO7_L=UDuoUWj-icABF-7EP=UNUXCFBYpDNFoUZmbA@mail.gmail.com>
 <CA+TgmoYDdYA1paUKtfHfx-iDdCKrL05m2OwPHz7SQ03t49f2oQ@mail.gmail.com>
In-Reply-To: 
 <CA+TgmoYDdYA1paUKtfHfx-iDdCKrL05m2OwPHz7SQ03t49f2oQ@mail.gmail.com>
From: Julien Rouhaud <rjuju123@gmail.com>
Date: Tue, 2 Sep 2025 08:03:04 +0800
X-Gm-Features: Ac12FXwyIISxHUXA6F2xiSK8PDAvf4lX8yxD944ImfjkdglZmJ7RD9E4pVXp3Jo
Message-ID: 
 <CAOBaU_YTJwo=jevDDKXRjwFUqON2VoWqz=Aw0FedyxbfYSiisw@mail.gmail.com>
Subject: Re: Extension security improvement: Add support for extensions with
 an owned schema
To: Robert Haas <robertmhaas@gmail.com>
Cc: Jelte Fennema-Nio <postgres@jeltef.nl>,
 Artem Gavrilov <artem.gavrilov@percona.com>,
	Jelte Fennema-Nio <me@jeltef.nl>, Tomas Vondra <tomas@vondra.me>,
	"David G. Johnston" <david.g.johnston@gmail.com>,
 Jeff Davis <pgsql@j-davis.com>,
	PostgreSQL-development <pgsql-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary="00000000000002aaa3063dc637a0"
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAOBaU_YTJwo%3DjevDDKXRjwFUqON2VoWqz%3DAw0FedyxbfYSiisw%40mail.gmail.com>
Precedence: bulk

--00000000000002aaa3063dc637a0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, 12 Aug 2025, 03:24 Robert Haas, <robertmhaas@gmail.com> wrote:

> On Mon, Aug 11, 2025 at 1:55=E2=80=AFPM Robert Haas <robertmhaas@gmail.co=
m> wrote:
> > [ some review ]
>
> Another thing that's occurring to me here is that nothing prevents
> other objects from making their way into the owned schema. Sure, if we
> create a new schema with nobody having any permissions, then only the
> creating role or some role that has its privileges can add anything in
> there. But that could happen by accident, or privileges could later be
> granted and somebody could add something into the extension schema
> after that. I wonder whether we should lock this down tighter somehow
> and altogether forbid creating objects in that schema except from an
> extension create/upgrade script for the owning extension.
>

I think that it would be too strict. One not too uncommon scenario is an
extension in a dedicated schema that creates additional objects
dynamically, for instance creating new partitions using triggers on one of
the extension table.  Such objects are not part of the extension and yet
are in control of the extension.

As an example powa already relies on that a lot (it creates new tables if
you register a new extension dynamically), and I'm about to add a feature
that create/drops s a bunch of inherited tables via a trigger when a remote
server is added / removed. I'm sure that there are a lot of other
extensions doing something similar.

>

--00000000000002aaa3063dc637a0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div><div class=3D"gmail_quote gmail_quote_container"><di=
v dir=3D"ltr" class=3D"gmail_attr">On Tue, 12 Aug 2025, 03:24 Robert Haas, =
&lt;<a href=3D"mailto:robertmhaas@gmail.com">robertmhaas@gmail.com</a>&gt; =
wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0=
px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, A=
ug 11, 2025 at 1:55=E2=80=AFPM Robert Haas &lt;<a href=3D"mailto:robertmhaa=
s@gmail.com" target=3D"_blank" rel=3D"noreferrer">robertmhaas@gmail.com</a>=
&gt; wrote:<br>
&gt; [ some review ]<br>
<br>
Another thing that&#39;s occurring to me here is that nothing prevents<br>
other objects from making their way into the owned schema. Sure, if we<br>
create a new schema with nobody having any permissions, then only the<br>
creating role or some role that has its privileges can add anything in<br>
there. But that could happen by accident, or privileges could later be<br>
granted and somebody could add something into the extension schema<br>
after that. I wonder whether we should lock this down tighter somehow<br>
and altogether forbid creating objects in that schema except from an<br>
extension create/upgrade script for the owning extension.<br></blockquote><=
/div></div><div dir=3D"auto"><br></div><div dir=3D"auto">I think that it wo=
uld be too strict. One not too uncommon scenario is an extension in a dedic=
ated schema that creates additional objects dynamically, for instance creat=
ing new partitions using triggers on one of the extension table.=C2=A0 Such=
 objects are not part of the extension and yet are in control of the extens=
ion.</div><div dir=3D"auto"><br></div><div dir=3D"auto">As an example powa =
already relies on that a lot (it creates new tables if you register a new e=
xtension dynamically), and I&#39;m about to add a feature that create/drops=
 s a bunch of inherited tables via a trigger when a remote server is added =
/ removed. I&#39;m sure that there are a lot of other extensions doing some=
thing similar.=C2=A0</div><div dir=3D"auto"><div class=3D"gmail_quote gmail=
_quote_container"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px=
 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
</blockquote></div></div></div>

--00000000000002aaa3063dc637a0--