CreateExtension() possibly creates a new schema when the supplied
extension was not relocatable and the target schema was given by
control file of the extension.
However, it allows users to create a new schema with his ownership,
even if current user does not have permission to create a new schema.
Oid extowner = GetUserId(); : else if (control->schema != NULL) { /* * The extension is
notrelocatable and the author gave us a schema * for it. We create the schema here if it does not already
exist. */ schemaName = control->schema; schemaOid = get_namespace_oid(schemaName, true);
if (schemaOid == InvalidOid) { schemaOid = NamespaceCreate(schemaName, extowner); /*
Advancecmd counter to make the namespace visible */ CommandCounterIncrement(); } }
It seems to me that we should inject permission checks here like as
CreateSchemaCommand() doing.
/* * To create a schema, must have schema-create privilege on the current * database and must be able to
becomethe target role (this does not * imply that the target role itself must have create-schema privilege). *
Thelatter provision guards against "giveaway" attacks. Note that a * superuser will always have both of these
privilegesa fortiori. */ aclresult = pg_database_aclcheck(MyDatabaseId, saved_uid, ACL_CREATE); if (aclresult !=
ACLCHECK_OK) aclcheck_error(aclresult, ACL_KIND_DATABASE, get_database_name(MyDatabaseId));
I didn't follow the discussion about extension so much when it got merged.
Please tell me, if it was a topic already discussed before.
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>