On Wed, 24 Jan 2007, Tom Lane wrote: > Not the DB owner. If you are worried about whether to allow use of PLs > it's almost certainly an installation-wide security concern, so I'd say > that the privilege has to flow from a superuser. > > GRANT CREATE ON LANGUAGE feeding into a flag bit in pltemplate would > work, if restricted to superusers, but I suspect people would find this > confusing because it'd work completely differently from GRANT USAGE ON > LANGUAGE (eg, because the latter has only database-local effects). > Might be better to use a different syntax.
I had thought that it would be database-local, but I understand now that it makes more sense to be global. > > Note I'm not arguing against allowing it to be "on" by default, I just > want to be sure there is a way for paranoid DBAs to turn it off. Maybe > it'd be sufficient if the flag bit was there but "UPDATE pg_pltemplate" > was the only way to manipulate it --- we've gotten along with treating > datistemplate and datallowconn that way. That sounds reasonable to me. I'll try to put together a patch like this (adding a boolean column to pg_pltemplate) and see if this is acceptable. I assume that only superusers can modify pg_pltemplate already ;) > Or we could go the full nine yards and add ACLs to pltemplate, but > that's probably overkill. Agreed. -- He thought he saw an albatross That fluttered 'round the lamp. He looked again and saw it was A penny postage stamp. "You'd best be getting home," he said, "The nights are rather damp." ---------------------------(end of broadcast)--------------------------- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq