Josh Berkus <josh@agliodbs.com> writes:
> On 06/04/2013 10:25 AM, Tom Lane wrote:
>> Basically, none of those are likely to get accepted because of security
>> concerns. We *don't* want this path to be run-time adjustable.
> Really? I don't see a security concern in having a postgresql.conf
> option which requires a full restart. If the user can edit
> postgresql.conf and do a cold restart, presumably they can do anything
> they want anyway.
Yeah, if the config option were to be superuser-only, the security issue
would be ameliorated --- not removed entirely, IMO, but at least
weakened. However, this seems to me to be missing the point, which is
that the extensions feature is designed to let the DBA have control over
which extensions are potentially installable. If we allow extension
control files to be loaded from any random directory then we lose that.
Part of the argument for not requiring superuser permissions to execute
CREATE EXTENSION was based on that restriction, so we'd need to go back
and rethink the permissions needed for CREATE EXTENSION.
regards, tom lane