Re: [GENERAL] Re: permission denied to create extension ltree Must be superuser to create this extension.
krz...@gmail.com escribió: Year has passed and still no answer here or in documentation. I wonder if I get to live that long so I can find out answer. The question was: Ok, but can someone comment, document something on security of installing extensions for normal users? Does allowing access to extension provides a way to circumvent security model? If not why can't it be allowed for user installations (provided that extension was previously allowed in some conf file)? I see you got some answers, but they weren't fully correct. Really, CREATE EXTENSION can be run by any user, no special privileges necessary; but all commands inside the extension script will go through the normal privilege checks, so if you're not superuser you will not be able to install extensions that try to install C-language functions, for example. The documentation for CREATE EXTENSION does say this, so I'm not sure what else you want. Quoth that page: Loading an extension requires the same privileges that would be required to create its component objects. For most extensions this means superuser or database owner privileges are needed. The user who runs CREATE EXTENSION becomes the owner of the extension for purposes of later privilege checks, as well as the owner of any objects created by the extension's script. http://www.postgresql.org/docs/current/static/sql-createextension.html What we don't yet have is something that was proposed some time ago: the possibility of whitelisting extensions so that any database owner is able to install it regardless of privileges. -- Álvaro Herrerahttp://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training Services -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] Re: permission denied to create extension ltree Must be superuser to create this extension.
Year has passed and still no answer here or in documentation. I wonder if I get to live that long so I can find out answer. -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] Re: permission denied to create extension ltree Must be superuser to create this extension.
On 02/11/2013 03:15 PM, krz...@gmail.com wrote: Year has passed and still no answer here or in documentation. I wonder if I get to live that long so I can find out answer. As far as I know your question was answered previously. ltree uses C functions and they need to be installed by a superuser as they could be a security risk. -- Adrian Klaver adrian.kla...@gmail.com -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] Re: permission denied to create extension ltree Must be superuser to create this extension.
On 2/11/2013 3:15 PM, krz...@gmail.com wrote: Year has passed and still no answer here or in documentation. I wonder if I get to live that long so I can find out answer. answer to what question? this message didn't thread onto anything in my list history (goes back 3-4 months), and your subject is simply a quote of an error message. the error message seems self-explanatory. -- john r pierce 37N 122W somewhere on the middle of the left coast -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general