[postgis-devel] About EXTENSION from UNPACKAGED on PostgreSQL 13

[Sandro Santilli]

On Thu, Feb 27, 2020 at 12:33:52PM -0500, Stephen Frost wrote:

> > Can you give an example attack vector ?
> 
> It's really not hard to imagine..  If an existing object is owned by a
> non-superuser and you put it into a package, and then use that object in
> some way during the extension script (which is running as a superuser..)
> then someone could gain superuser access.

Ok, this is something we can fix. Worth a ticket, in the road to
become a trusted extension. But we can fix (we can check ownership of
objects before packaging them).

> There are also issues if you
> end up with functions in untrusted languages that are owned by
> non-superusers.

Same fix: we can check ownership before packaging.

> Considering the PG folks have, quite resonably, decided that it's not
> trivial to "plug those holes" and aren't planning to provide any support
> for doing so, I seriously, seriously, doubt that you would be able to
> somehow as an extension.

Dubts are of no help. An exact case scenario showing an impossible
to fix hole would. Can you provide that ? I do have some thoughts
about search paths and friends but not a definitive attack vector
(we CREATE OR REPLACE functions anyway).

> I strongly feel that this is a seriously bad idea.  Unpackaged installs
> really shouldn't exist these days and trying to hack around things to
> make it safe to turn some random jumble of functions into an extension
> is just a really bad idea.

I guess we can avoid the randomness.

> Properly install the extension and then migrate to it.

This would mean forcing a dump/reload, right ?

--strk;