Tom, > Yeah, if the config option were to be superuser-only, the security issue > would be ameliorated --- not removed entirely, IMO, but at least > weakened. However, this seems to me to be missing the point, which is > that the extensions feature is designed to let the DBA have control over > which extensions are potentially installable. If we allow extension > control files to be loaded from any random directory then we lose that. > Part of the argument for not requiring superuser permissions to execute > CREATE EXTENSION was based on that restriction, so we'd need to go back > and rethink the permissions needed for CREATE EXTENSION.
I do see the utility in having the extension folder relocatable by packagers; I could really use this for vagrant builds of PostgreSQL, which I use for testing. Right now I do a lot of file copying of .so files. In my case, though, I only need to change the whole extension folder location, I don't need to have multiple locations, a dirpath, or anything sophisticated. That is, a super-user, cold-start only option of "extension_path='/vagrant/extensions/'" would work for my case, and I suspect most packaging cases as well. This seems like it would work for Oliver's case. And I don't see how making the folder relocatable as an on-start option hurts our security at all; we're simply doing something which the same user could do with symlinks, only much more neatly. -- Josh Berkus PostgreSQL Experts Inc. http://pgexperts.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
