Jeremy Drake <[EMAIL PROTECTED]> writes: > On Wed, 24 Jan 2007, Tom Lane wrote: >> that there really needs to be *some* sort of privilege check here. >> What that is and how to implement it are the hard parts.
> So I guess it depends on what you mean by "DBA". Perhaps the database > owner? Or some new privilege type (GRANT CREATE ON LANGUAGE ...? Or GRANT > CREATE LANGUAGE ON DATABASE...?) that the db owner has by default? Not the DB owner. If you are worried about whether to allow use of PLs it's almost certainly an installation-wide security concern, so I'd say that the privilege has to flow from a superuser. GRANT CREATE ON LANGUAGE feeding into a flag bit in pltemplate would work, if restricted to superusers, but I suspect people would find this confusing because it'd work completely differently from GRANT USAGE ON LANGUAGE (eg, because the latter has only database-local effects). Might be better to use a different syntax. Note I'm not arguing against allowing it to be "on" by default, I just want to be sure there is a way for paranoid DBAs to turn it off. Maybe it'd be sufficient if the flag bit was there but "UPDATE pg_pltemplate" was the only way to manipulate it --- we've gotten along with treating datistemplate and datallowconn that way. Or we could go the full nine yards and add ACLs to pltemplate, but that's probably overkill. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings