Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sEupM-004pTS-RC for pgsql-hackers@arkaria.postgresql.org; Wed, 05 Jun 2024 17:53:38 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sEupM-00AKPc-RN for pgsql-hackers@arkaria.postgresql.org; Wed, 05 Jun 2024 17:53:36 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sEupM-00AKPU-Dn for pgsql-hackers@lists.postgresql.org; Wed, 05 Jun 2024 17:53:36 +0000 Received: from mail-pg1-x532.google.com ([2607:f8b0:4864:20::532]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sEupJ-003c6S-QC for pgsql-hackers@postgresql.org; Wed, 05 Jun 2024 17:53:35 +0000 Received: by mail-pg1-x532.google.com with SMTP id 41be03b00d2f7-681ad081695so44364a12.3 for ; Wed, 05 Jun 2024 10:53:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=j-davis-com.20230601.gappssmtp.com; s=20230601; t=1717610013; x=1718214813; darn=postgresql.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date :message-id:reply-to; bh=lthF+98IFWYgBvu4qwPdhlyqHTgNGcaGOp0CLiYgQPg=; b=Q3eFl3rKFRhHlmWSz/XusYcTI/bfyAR33V87WMu4tXqgfzsnm5rxnLXgVFZnkAoENy uV3zOmw3wrlRi69rxSmIVwrt8UiRp/IKxQZ8YLsF5ki6pBfxSY75/gi4ztcjxXZdx2LD 7LbjqqY7zOYFHOzeaJJlAuV7XrdtmvCPK6nnJSpQQxc8ldf7mLOgaaSUJLxzt0PaXjzu iT/Lrwz2TmPISUQAk8JGvTmO/RiaLo+TNOnZJnilM9tefsCQSs08nnqnAyWkEnzNr3+n LN9UCFM4s1tFQvOg+sbJn4i9gwNEnio1W6FNVouNoCdPn9OGpX0cy5YYqGk7XOoQQoTg XU/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717610013; x=1718214813; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=lthF+98IFWYgBvu4qwPdhlyqHTgNGcaGOp0CLiYgQPg=; b=nGecZR9Co967Y4psQOfXQCHSHDCm6UXMNoadb/0xospRNFWOlI6xDAeie3GQO76JEA c9Gpr9+ofnNKtNapiLb/hscP8ZpbmsVKwcGvSUvvbAkrkdrefUYuDmk0i80LZ4LmPA2l wpnhDpn4/GYmpbQZ26QAL0s8X0dDeMyUxDHhLC7ZZVvQjmlgwl76MVMN2+3RL6BpUvmB BguKpLMumrP7l2d+KdVgKqc8bTbSdIVwKx5rDJkZ/DqjLwEAFSVVenh0KshsMXf1einD eE8MttOd58azbTqI4gPE7KckwK3Xtg9KPXkIpOHLiOPymPx65U63tfKUkCsenrSdNQmZ JN/w== X-Forwarded-Encrypted: i=1; AJvYcCXRs6C0nCVi3EBm53XYyrQM/pGIzXA95f9VACgGHjyIwituxtaebl+fasGb+sNObbh0WlAeLR6f3mVMmt2GdzP2AGYitzwNUDirdRaH X-Gm-Message-State: AOJu0YxcQ6QIMAgd+kKicA/MjfIl5YdsXFNbWPKURQ360z/9N/e+5HKg 9GaNVSZ94fyIrnPh7XJsKR5q3fPUj+kObQ2Iv5Bz47TOfhp9J2EAhf6KuspZRY8PrLIPAYIELbc = X-Google-Smtp-Source: AGHT+IEAS01QIE/loaUUSnzmD42etUgUllUzknLGXMgdJvNca9NRg4Ts/Qcm241RlP9Jm0rJwrDegg== X-Received: by 2002:a05:6a21:819a:b0:1ae:3f36:28cf with SMTP id adf61e73a8af0-1b2b7179060mr3021956637.56.1717610012577; Wed, 05 Jun 2024 10:53:32 -0700 (PDT) Received: from [172.18.10.46] ([12.126.244.130]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-702423c7bf0sm8890687b3a.42.2024.06.05.10.53.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Jun 2024 10:53:32 -0700 (PDT) Message-ID: Subject: Re: Extension security improvement: Add support for extensions with an owned schema From: Jeff Davis To: Jelte Fennema-Nio , PostgreSQL-development Date: Wed, 05 Jun 2024 10:53:31 -0700 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.44.4-0ubuntu2 MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Sat, 2024-06-01 at 17:08 -0700, Jelte Fennema-Nio wrote: > This patch adds a new "owned_schema" option to the extension control > file that can be set to true to indicate that this extension wants to > own the schema in which it is installed. What that means is that the > schema should not exist before creating the extension, and will be > created during extension creation. This thus gives the extension > author > an easy way to use a safe search_path, while still allowing all > objects > to be grouped together in a schema. The implementation also has the > pleasant side effect that the schema will be automatically dropped > when > the extension is dropped. Is this orthogonal to relocatability? When you say "an easy way to use a safe search_path": the CREATE EXTENSION command already sets the search_path, so your patch just ensures that it's empty (and therefore safe) first, right? Should we go further and try to prevent creating objects in an extension-owned schema with normal SQL? Approximately how many extensions should be adjusted to use owned_schema=3Dtrue? What are the reasons an extension would not want to own the schema in which the objects are created? I assume some would still create objects in pg_catalog, but ideally we'd come up with a better solution to that as well. This protects the extension script, but I'm left wondering if we could do something here to make it easier to protect extension functions called from outside the extension script, also. It would be nice if we could implicitly tack on a "SET search_path TO @extschema@, pg_catalog, pg_temp" to each function in the extension. I'm not proposing that, but perhaps a related idea might work. Probably outside the scope of your proposal. Regards, Jeff Davis