Re: Feature Request on Extensions

On 08/18/2013 11:36 AM, Hannu Krosing wrote:
> On 08/17/2013 11:53 PM, Steven Citron-Pousty wrote:
>> Greetings all:
>> I spoke to Josh B and company at OSCON about a feature we really need
>> for PostgreSQL extensions on OpenShift (Red Hat's Platform as a
>> Service).
>>
>> What we need is the ability for Postgresql to load extensions from a
>> users file space.
> There were objections earlier against loading anything "binary" from
> a directory not being writable by root only.
>
> But allowing loading modules from the directory of the user the server
> runs as (usually postgres, but could be any system user other than root)
> seems like a really good idea.
>
> I can not see how this would create any additional security problems,
> as the user can already do anything that user can do. adding postgresql
> binary in this mix running as the same user can not possibly add any
> new security concerns.

To be extra sure no additional security is breached, CREATE EXTENSION could
add check that the client requesting this is also the same user connected
locally via ident authentication when requesting loading binary modules
from
this users (who is running both postgresql binary and client) owned
filespace.

--
Hannu Krosing
PostgreSQL Consultant
Performance, Scalability and High Availability
2ndQuadrant Nordic OÜ