[postgis-devel] About EXTENSION from UNPACKAGED on PostgreSQL 13

Stephen Frost sfrost at snowman.net
Thu Feb 27 09:33:52 PST 2020 

Greetings,

* Sandro Santilli (strk at kbt.io) wrote:
> On Wed, Feb 26, 2020 at 10:28:11AM -0500, Stephen Frost wrote:
> > 
> > * Sandro Santilli (strk at kbt.io) wrote:
> > >
> > > When someone has postgis objects installed via
> > > scripts (not via extension), can CREATE EXTENSION
> > > technically mark those objects as being part of
> > > an extension instead ? That's exactly what
> > > `FROM UNPACKAGED` does at the moment. The question
> > > is: is it legit to do so from CREATE EXTENSION ?
> > 
> > The reason that we removed that ability from PG, as planned for v13, is
> > that it's inherently dangerous to do that...
> 
> Can you give an example attack vector ?

It's really not hard to imagine..  If an existing object is owned by a
non-superuser and you put it into a package, and then use that object in
some way during the extension script (which is running as a superuser..)
then someone could gain superuser access.  There are also issues if you
end up with functions in untrusted languages that are owned by
non-superusers.

> >  it's also clearly rife for
> > abuse when combined with the trusted extension concept which allows
> > non-superusers to install extensions that have C code.
> 
> Hopefully we can just plug those holes, and meanwhile leave the extension
> advertised as non-trusted (until we trust it), to get the same or
> comparable user experience as we have with PostgreSQL < 13

Considering the PG folks have, quite resonably, decided that it's not
trivial to "plug those holes" and aren't planning to provide any support
for doing so, I seriously, seriously, doubt that you would be able to
somehow as an extension.

> I'm now really thinking we should start having
> 
>   CREATE EXTENSION ${any_postgis_extension}
> 
> take care of packaging, if needed (right now it would just refuse to
> run if an existing unpackaged install is found, we could change that
> to instead package it).

I strongly feel that this is a seriously bad idea.  Unpackaged installs
really shouldn't exist these days and trying to hack around things to
make it safe to turn some random jumble of functions into an extension
is just a really bad idea.

Properly install the extension and then migrate to it.

Thanks,

Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/postgis-devel/attachments/20200227/adde42b7/attachment.sig>

More information about the postgis-devel mailing list