On Fri, Jan 12, 2024 at 10:13 AM Jelte Fennema-Nio <postg...@jeltef.nl> wrote: > On Fri, 12 Jan 2024 at 15:53, Michael Banck <mba...@gmx.net> wrote: > > I propose to add a new predefined role to Postgres, > > pg_manage_extensions. The idea is that it allows Superusers to delegate > > the rights to create, update or delete extensions to other roles, even > > if those extensions are not trusted or those users are not the database > > owner. > > I agree that extension creation is one of the main reasons people > require superuser access, and I think it would be beneficial to try to > reduce that. But I'm not sure that such a pg_manage_extensions role > would have any fewer permissions than superuser in practice. Afaik > many extensions that are not marked as trusted, are not trusted > because they would allow fairly trivial privilege escalation to > superuser if they were.
I see that Jelte walked this comment back, but I think this issue needs more discussion. I'm not intrinsically against having a role like pg_execute_server_programs that allows escalation to superuser, but I don't see how it would help a cloud provider whose goal is to NOT allow administrators to escalate to superuser. What am I missing? -- Robert Haas EDB: http://www.enterprisedb.com
