Re: Extension security improvement: Add support for extensions with an owned schema

On Tue, 2 Sept 2025 at 02:03, Julien Rouhaud <rjuju123@gmail.com> wrote:
> One not too uncommon scenario is an extension in a dedicated schema that creates additional objects dynamically, for
instancecreating new partitions using triggers on one of the extension table.
 

Interesting. I didn't know there were extensions that did that. That
definitely doesn't seem like a very common pattern though.

But I don't think that's a problem for this idea. In the
implementation I'm working on, superuser would still be allowed to
create objects in such locked down owned schemas. So as long as the
extension upgrades its permissions to superuser during these DDLs it
should still be fine. (easy to do with SECURITY DEFINER or by
temporarily changing permissions from C)