Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

By default, require superuser privileges to install a pgx extension #1056

Merged
merged 1 commit into from
Feb 23, 2023
Merged

By default, require superuser privileges to install a pgx extension #1056

merged 1 commit into from
Feb 23, 2023

Conversation

vadim2404
Copy link
Contributor

@vadim2404 vadim2404 commented Feb 23, 2023
edited
Loading

An error occurs when the user without root privileges tries to install extensions compiled via pgx.

For instance, pg_graphql is written on Rust using pgx. And if the user has access only to one database created especially for him, he'll see

create extension pg_graphql;

ERROR: permission denied for language c (SQLSTATE 42501)

It happens because the C language is untrusted by default in Postgres. These changes allow non-privileged users to install extensions without marking C as trusted.

@vadim2404 vadim2404 changed the title To be able to install pgx extension with superuser privileges To be able to install pgx extension without superuser privileges Feb 23, 2023
@vadim2404 vadim2404 mentioned this pull request Feb 23, 2023
Merged
4 tasks
@eeeebbbbrrrr
Copy link
Contributor

eeeebbbbrrrr commented Feb 23, 2023
edited
Loading

I don't believe it's correct for the pgx extension template to default to trusted = true. That's not a decision pgx can make and so it ought to err on the side of safety.

And with that in mind, I'd say that setting superuser = false has actually been wrong all along.

In other words, it seems more correct for pgx to default to creating extensions that are untrusted and require superuser privileges to create. An extension developer can better make these decisions about their own extension.

@vadim2404
Copy link
Contributor Author

@eeeebbbbrrrr, it makes sense. I've reverted the changes related to trusted

@eeeebbbbrrrr eeeebbbbrrrr changed the base branch from master to develop February 23, 2023 17:18
@eeeebbbbrrrr
Copy link
Contributor

For future reference, please note that we prefer PRs made against the develop branch. I've updated it here.

I'm fine to merge this but I wouldn't mind @workingjubilee's input first (these options are documented at https://www.postgresql.org/docs/current/extend-extensions.html#id-1.8.3.20.11).

Over the past year, Jubilee has taught me an entirely different perspective on safety and correctness.

workingjubilee
workingjubilee approved these changes Feb 23, 2023
View reviewed changes
Copy link
Member

@workingjubilee workingjubilee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, using superuser = true is correct according to this because even though superuser = false won't be an escalation of privileges, 99.9% of the time we will be creating a "C" language function which will fail to install. So we might as well do so immediately.

We are indeed working on making a subset of Rust installable without superuser privileges, but normally, pgx has all the capabilities needed to do "fun" things to a database. It requires the superuser's consent to do such things.

@eeeebbbbrrrr eeeebbbbrrrr changed the title To be able to install pgx extension without superuser privileges By default, require superuser privileges to install a pgx extension Feb 23, 2023
@eeeebbbbrrrr
Copy link
Contributor

Funny how this PR got turned into the exact opposite of what was desired, but I'm glad we're all on the same page. Thanks @vadim2404, merging now.

@eeeebbbbrrrr eeeebbbbrrrr merged commit 1b6172d into pgcentralfoundation:develop Feb 23, 2023
@eeeebbbbrrrr eeeebbbbrrrr mentioned this pull request Feb 23, 2023
Merged
@vadim2404 vadim2404 deleted the update_the_template branch February 23, 2023 21:41
This was referenced Mar 2, 2023
Merged
Merged
@vadim2404 vadim2404 mentioned this pull request Mar 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@workingjubilee workingjubilee workingjubilee approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vadim2404 @eeeebbbbrrrr @workingjubilee