* Joe Conway ([EMAIL PROTECTED]) wrote: > Get serious. Internal functions are specifically designed and maintained to > be safe within the confines of the database security model. We are > discussing extensions to the core, all of which must be installed by > choice, by a superuser.
Extensions should also be designed and maintained to be safe within the confines of the database security model. Having to be installed by a superuser doesn't change that. I would consider it a serious risk which would need to be fixed if, for example, a function in PostGIS was found to allow priviledge escalation by a user. Claiming it was installed "by choice, by a superuser" doesn't change that. It's about as good as saying "Well, an admin had to install PostgreSQL on the system, by choice, and therefore we don't need to worry about PG allowing someone remote shell access to the system". Thanks, Stephen
signature.asc
Description: Digital signature