Re: Configurable location for extension .control files

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Andres Freund <andres(at)2ndquadrant(dot)com>
Cc: Dimitri Fontaine <dimitri(at)2ndQuadrant(dot)fr>, Oliver Charles <ollie(at)ocharles(dot)org(dot)uk>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Configurable location for extension .control files
Date: 2013-06-10 14:39:48
Message-ID: 21924.1370875188@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Andres Freund <andres(at)2ndquadrant(dot)com> writes:
> On 2013-06-10 10:13:45 -0400, Tom Lane wrote:
>> More generally, it seems pretty insane to me to want to configure a
>> "trusted" PG installation so that it can load C code from an untrusted
>> place. The trust level cannot be any higher than the weakest link.
>> Thus, I don't see a scenario in which any packager would ship binaries
>> using such an option, even if it existed.

> I fail to see the logic here.

You are confusing location in the filesystem with permissions. Assuming
that a sysadmin wants to allow, say, the postgres DBA to install random
extensions, all he has to do is adjust the permissions on the .../extension
directory to allow that (or not). Putting the extension directory
somewhere else doesn't change that meaningfully, it just makes things
more confusing and hence error-prone.

In any case, no packager is going to ship an insecure-by-default
configuration, which is what Dimitri seems to be fantasizing would
happen. It would have to be local option to relax the permissions
on the directory, no matter where it is.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2013-06-10 14:43:00 Re: Configurable location for extension .control files
Previous Message Andres Freund 2013-06-10 14:19:53 Re: Configurable location for extension .control files