Home > mailing lists

Re: Extension security improvement: Add support for extensions with an owned schema - Mailing list pgsql-hackers

From	Robert Haas
Subject	Re: Extension security improvement: Add support for extensions with an owned schema
Date	August 11 22:23:42
Msg-id	CA+TgmoYDdYA1paUKtfHfx-iDdCKrL05m2OwPHz7SQ03t49f2oQ@mail.gmail.com Whole thread Raw
In response to	Re: Extension security improvement: Add support for extensions with an owned schema (Robert Haas <robertmhaas@gmail.com>)
List	pgsql-hackers

Tree view

On Mon, Aug 11, 2025 at 1:55 PM Robert Haas <robertmhaas@gmail.com> wrote:
> [ some review ]

Another thing that's occurring to me here is that nothing prevents
other objects from making their way into the owned schema. Sure, if we
create a new schema with nobody having any permissions, then only the
creating role or some role that has its privileges can add anything in
there. But that could happen by accident, or privileges could later be
granted and somebody could add something into the extension schema
after that. I wonder whether we should lock this down tighter somehow
and altogether forbid creating objects in that schema except from an
extension create/upgrade script for the owning extension.

--
Robert Haas
EDB: http://www.enterprisedb.com

pgsql-hackers by date:

From: Noah Misch
Date: 11 August, 22:07:54
Subject: 2025-08-14 release announcement draft

From: Andres Freund
Date: 11 August, 22:27:51
Subject: Re: meson: add and use stamp files for generated headers

Re: Extension security improvement: Add support for extensions with an owned schema - Mailing list pgsql-hackers

Previous

Next