Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1utMuj-005kig-84
	for pgsql-hackers@arkaria.postgresql.org; Tue, 02 Sep 2025 09:02:54 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1utMui-002rHv-1C
	for pgsql-hackers@arkaria.postgresql.org; Tue, 02 Sep 2025 09:02:52 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <rjuju123@gmail.com>)
	id 1utMuh-002rHg-O6
	for pgsql-hackers@lists.postgresql.org; Tue, 02 Sep 2025 09:02:52 +0000
Received: from mail-pl1-x629.google.com ([2607:f8b0:4864:20::629])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <rjuju123@gmail.com>)
	id 1utMue-00096g-1z
	for pgsql-hackers@postgresql.org;
	Tue, 02 Sep 2025 09:02:51 +0000
Received: by mail-pl1-x629.google.com with SMTP id
 d9443c01a7336-24a9cc916b3so21557155ad.0
        for <pgsql-hackers@postgresql.org>;
 Tue, 02 Sep 2025 02:02:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1756803767; x=1757408567;
 darn=postgresql.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=LqfNTTa9BDxLNsdDjqtTOJm+eOi2xkAQHbuizLVq+PI=;
        b=BTxLt3/wmNAJL1f8eb63u8lFhAayuSoNrySEYybFGq3lAngN6+FQiPuTf2DRUGGUeD
         Qez+tA8C8iaF5r7FWxTH9JjLwZCsyMWjMP+z/bNqQYHY+CKNw4d0ESuumO9z6uPRBSBR
         ab6C0coD838JNHaefrqq/73TmHpq+H2SHRQ+YFWUXqFA6BViQ+sYB60jFSeXZM3K0Nlw
         GHQQk4zOZ0XyBoyxHVynvDu4/+69C4BgNQJ0PUIzwOAZVxapwFOGYLKgxM2+sv0EbwiS
         hbI6cVbHlc2AVUh8DbZIrGL1ltHbwgyGpDNdAGqvrE/Bxf3ZjhG+MU3iHceI97mRxKHO
         ADPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1756803767; x=1757408567;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=LqfNTTa9BDxLNsdDjqtTOJm+eOi2xkAQHbuizLVq+PI=;
        b=uhktqq+EG/SDCdGDIqVhufvFoKyKe0Ja/Og5ooeHqiNf5Z0aLauZjv3HfrHm5+hkZa
         D4K1LomqnNs0IEjHRvjqGO8RgOool+lsqR98Pu6exEMF6Z/9/P6NAHQR+cJREVMihqCM
         Ko3XuhVmh3sauS5GWJ3rg8+CLkqLCl6iRr0BqnOodd/rNCEhkdfvrCW/agvJgEWMug14
         UeDcSm+SWP9Fn4N3UyNWmexsJ97Fg+M9EiELYaI8x4lSy99dbdzl/QjfIYOGqgsjy4sI
         T1JEIefy7aMVmp+6YpKujAFMl1IgbZFJ0EPXlFigDN+riX40086VGnaNW8jIz9Gpo0zq
         GicQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCVdACnaxyiF8mDQYGpYELs7ojp5W6s2x6aPoO6v1grw29zXURZSZB8hXNc790YRW919RhTZJe6k00yTDfdh@postgresql.org
X-Gm-Message-State: AOJu0YxAFSTgmTAGBt8/HJzpfBoJbBpgDnZZSsg7/FtaqvQaf4ewzICe
	ATCJMtXfyEek1ErPt0LQfu3BGeEihMcl8z6EBF3Rh4W2IF5Tsiz3+yi2
X-Gm-Gg: ASbGncu+nVvYWWAfZlCCMbGOjeiMN/9hGEQq6+EXZUKaIUf8T1jd5LowxcZSkNO0PBQ
	CtQfF+S/NjXrb0HthhjpausqwZgee4CxjdUu8fE9w2L6dYHp7YgcYucqddmPSpO1ONcqVVedZke
	TjiFNiFBqSeYM7d9S5t0Lwptf7RhCrNYkCQaEhNO6ARvms291KFc+GpAOe5RaJ58ehLAFCdyEA4
	vFzStVLc9igoZEituVLyA/wzowK5rLBxJ4rAz2IrXi8foSywQKlubMd1TCr7i+arQuM2j5kaNdO
	+yDw4lnGBLbVmyqkyUau6GsXlb4ooxMccXt/ZtgqA2ZUwExSGaaZSYrQDqz45l1GSZPc/8cLqxp
	8aYV/3f05j+gXhfg=
X-Google-Smtp-Source: 
 AGHT+IEDJMAqzJvQZcElG9ENiQHaJh0/lkkG6vqSR6ox852bvetpBQtMTeawe8Z7Ca482CpBNossPQ==
X-Received: by 2002:a17:902:db03:b0:249:c66:199e with SMTP id
 d9443c01a7336-24944a177fbmr137169975ad.26.1756803767414;
        Tue, 02 Sep 2025 02:02:47 -0700 (PDT)
Received: from jrouhaud ([115.43.41.38])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-249067de9f1sm124751385ad.151.2025.09.02.02.02.45
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Sep 2025 02:02:46 -0700 (PDT)
Date: Tue, 2 Sep 2025 17:02:41 +0800
From: Julien Rouhaud <rjuju123@gmail.com>
To: Jelte Fennema-Nio <me@jeltef.nl>
Cc: Robert Haas <robertmhaas@gmail.com>,
	Artem Gavrilov <artem.gavrilov@percona.com>,
	Tomas Vondra <tomas@vondra.me>,
	"David G. Johnston" <david.g.johnston@gmail.com>,
	Jeff Davis <pgsql@j-davis.com>,
	PostgreSQL-development <pgsql-hackers@postgresql.org>
Subject: Re: Extension security improvement: Add support for extensions with
 an owned schema
Message-ID: <aLaysb-v12hPW22V@jrouhaud>
References: 
 <CAKFQuwaT4_n=e0YKBZAyox1CQUra2ka0cySs+3pGZR5p50pn-g@mail.gmail.com>
 <CAGECzQTOJrnnJkmMe9nems0jouiKUbFcEb1rb9kE_svsAZiGQg@mail.gmail.com>
 <585e996c-a5c6-4e61-acc4-d92b7a1458ea@vondra.me>
 <CAGECzQS02M6YPDXemo36tShO-ZYObjqnyTJyVttua1PGyN4xRw@mail.gmail.com>
 <CAFPkQKzALOTTBrhj2qDHwVxZQyjF5Xg_P9M=Tn_Dcm3vr=xdTA@mail.gmail.com>
 <DBOFQN54M5FX.1XWJE4LKMR8XH@jeltef.nl>
 <CA+TgmoY=NO7_L=UDuoUWj-icABF-7EP=UNUXCFBYpDNFoUZmbA@mail.gmail.com>
 <CA+TgmoYDdYA1paUKtfHfx-iDdCKrL05m2OwPHz7SQ03t49f2oQ@mail.gmail.com>
 <CAOBaU_YTJwo=jevDDKXRjwFUqON2VoWqz=Aw0FedyxbfYSiisw@mail.gmail.com>
 <CAGECzQS9JqWv+zJR-e-1JMH7GhCnLc4vD9H-uEui8E5Ba9Trpw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: 
 <CAGECzQS9JqWv+zJR-e-1JMH7GhCnLc4vD9H-uEui8E5Ba9Trpw@mail.gmail.com>
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/aLaysb-v12hPW22V%40jrouhaud>
Precedence: bulk

On Tue, Sep 02, 2025 at 09:37:31AM +0200, Jelte Fennema-Nio wrote:
> On Tue, 2 Sept 2025 at 02:03, Julien Rouhaud <rjuju123@gmail.com> wrote:
> > One not too uncommon scenario is an extension in a dedicated schema that creates additional objects dynamically, for instance creating new partitions using triggers on one of the extension table.
>
> Interesting. I didn't know there were extensions that did that. That
> definitely doesn't seem like a very common pattern though.

I think that there are way more extensions that dynamically create objects than
what you think.  Some years ago I was working on such an extension at work, and
pgtt is also creating some objects under the hood.  That's already 3 extensions
that I know on top of my head without having to think about it.

> But I don't think that's a problem for this idea. In the
> implementation I'm working on, superuser would still be allowed to
> create objects in such locked down owned schemas. So as long as the
> extension upgrades its permissions to superuser during these DDLs it
> should still be fine. (easy to do with SECURITY DEFINER or by
> temporarily changing permissions from C)

Requiring superuser permission seems like a big penalty, especially since the
last few years have been all about *not* requiring superuser privileges.  Note
also that not all extensions embeds compiled code, some are just doing plain
plpgsql and work just fine.

Why not requiring schema owner privileges?