John,
> Would it be reasonable for there to be a way for the super user to
> grant access to load "approved" modules and/or C language functions?
I can't see a way to do this except individually, in which case the
superuser might as well load the functions. We *have* to be restrictive
about this because a C function can do anything, including overwriting
whatever parts of the filesystem "postgres" has access to. Look over our
patch releases for the last 2 years and you'll see a host of patches
designed specifically to prevent regular users from gaining access to
superuser priveleges.
What you want isn't impossible, but it would be a lot of work and testing
to engineer such a mechanism and keep PostgreSQL's "most secure" status.
So far, everyone has found it easier to work around the issue, especially
since for most sites backup/restore is done by the superuser anyway.
--
--Josh
Josh Berkus
Aglio Database Solutions
San Francisco