* Joe Conway (mail@joeconway.com) wrote:
> Get serious. Internal functions are specifically designed and maintained to
> be safe within the confines of the database security model. We are
> discussing extensions to the core, all of which must be installed by
> choice, by a superuser.
Extensions should also be designed and maintained to be safe within the
confines of the database security model. Having to be installed by a
superuser doesn't change that. I would consider it a serious risk which
would need to be fixed if, for example, a function in PostGIS was found
to allow priviledge escalation by a user. Claiming it was installed "by
choice, by a superuser" doesn't change that.
It's about as good as saying "Well, an admin had to install PostgreSQL
on the system, by choice, and therefore we don't need to worry about PG
allowing someone remote shell access to the system".
Thanks,
Stephen