On Tue, Jul 17, 2018 at 1:20 AM, Craig Ringer <cr...@2ndquadrant.com> wrote: > Forcing users to create their PLs as a superuser increases the routine use > of superuser accounts. Most users' DDL deploy scripts will get be run as a > superuser if they have to use a superuser for PL changes; they're not going > to SET ROLE and RESET ROLE around the function changes. > > It also encourages users to make their untrusted functions SECURITY DEFINER > when still owned by a superuser, which we really don't want them doing > unnecessarily. > > In the name of making things more secure, we've made them less secure. > > Untrusted PLs should be GRANTable with a NOTICE or WARNING telling the admin > that GRANTing an untrusted PL effectively gives the user the ability to > escape to superuser.
+1. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company