CreateExtension() possibly creates a new schema when the supplied extension was not relocatable and the target schema was given by control file of the extension. However, it allows users to create a new schema with his ownership, even if current user does not have permission to create a new schema.
Oid extowner = GetUserId(); : else if (control->schema != NULL) { /* * The extension is not relocatable and the author gave us a schema * for it. We create the schema here if it does not already exist. */ schemaName = control->schema; schemaOid = get_namespace_oid(schemaName, true); if (schemaOid == InvalidOid) { schemaOid = NamespaceCreate(schemaName, extowner); /* Advance cmd counter to make the namespace visible */ CommandCounterIncrement(); } } It seems to me that we should inject permission checks here like as CreateSchemaCommand() doing. /* * To create a schema, must have schema-create privilege on the current * database and must be able to become the target role (this does not * imply that the target role itself must have create-schema privilege). * The latter provision guards against "giveaway" attacks. Note that a * superuser will always have both of these privileges a fortiori. */ aclresult = pg_database_aclcheck(MyDatabaseId, saved_uid, ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, ACL_KIND_DATABASE, get_database_name(MyDatabaseId)); I didn't follow the discussion about extension so much when it got merged. Please tell me, if it was a topic already discussed before. Thanks, -- KaiGai Kohei <kai...@kaigai.gr.jp> -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers