Re: pg_dumpall and owner of the extension

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2024-01-23 at 18:01 +0200, kaido vaikla wrote:
> Yes, i have a real problem. To keep things clear in database, my design is:
> - every application has own schema
> - every schema has owner who is not a user postgres
> - only schema owner can do DDL's on schema
> 
> So if some application needs some extensions, then i give temporary suppersuser privilege to schema owner, 
> if "create extension"  needs it, extensions are installed "with schema"  And revoke suppersuser privilege after extension inatall. 
> I'm not sure, is it my design against postgres concept or not :(.
> 
> But in same time, i expect that pg_dumpall will not change ownership or at least gives some error or something.

I think your expectation is founded, and the current behavior is surprising.

At first, I thought that would be a security problem in combination with
trusted extensions, but then the objects from a trusted extension always
belong to the bootstrap superuser.
So, all extension objects always belong to a superuser, and a change in
ownership to a different after a restore won't be a privilege escalation.

In practice, it doesn't matter much to which superuser extension objects
belong.

Your usage pattern sort of breaks that.  I think that your practice of
temporarily elevating the prospective extension owner to superuser is
a questionable one.  You end up having extension objects owned by a
non-superuser.  That probably won't make much difference in most cases,
but it could matter for SECURITY DEFINER functions or views that use
restricted objects.  And if the extension object owner changes after a
restore, the behavior could change.

I don't really see what you are expecting to gain from your design.
Instead of temporarily elevating the schema owner's privileges, why
don't you create the extension as superuser right away?
(As an aside: you need a superuser to turn sumebody into a superuser.
Don't tell me that your application is connecting as superuser...)

So while I think that the current behavior is less than ideal, I don't
see it as a massive problem that needs to be fixed.  What is it that
stops working for you after the restore?

Perhaps some documentation for the surprising behavior might be in place.

Yours,
Laurenz Albe
[Index of Archives]     [Postgresql Home]     [Postgresql General]     [Postgresql Performance]     [Postgresql PHP]     [Postgresql Jobs]     [PHP Users]     [PHP Databases]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Yosemite Forum]

  Powered by Linux