[postgis-devel] PSC Vote - Mark postgis, postgis_topology, address_standardizer as trusted
Darafei "Komяpa" Praliaskouski
me at komzpa.net
Mon Mar 8 05:44:49 PST 2021
On Mon, Mar 8, 2021 at 4:27 PM Christoph Berg <myon at debian.org> wrote:
> Re: Raúl Marín
> > Are there any requirements to be a "trusted extension"? As in DO and
> DON'T
> > we should take into account during development in the future? I couldn't
> > find anything in Postgresql docs.
>
> There must not be any functions that you wouldn't want an untrusted
> user to execute, like modify system catalogs, or read/write directly
> from/to the filesystem. Extension install/upgrade scripts need to be
> secure against search_path attacks and similar.
>
>
> https://www.postgresql.org/docs/13/extend-extensions.html#EXTEND-EXTENSIONS-SECURITY
>
>
so, -1 as simple marking of extension.
+1 on below plan:
Our upgrade mechanism is not compliant with this. We need to drop upgrades
from unpackaged to be marked as trusted at very least.
So the plan to mark postgis trusted will be at least:
- Announce that 3.2 is the last version to support upgrades from
non-extension.
- Harden upgrades from earlier versions so that there is no chance to
sneak in a function.
- Alternatively: forbid non-superuser to upgrade from pre-3.2.
- Get rid of all catalog trickery (needs core postgres team support to put
all the ALTERs in place).
- Release 3.2.
- Really get rid of all catalog trickery (needs PG14+ as we don't have all
ALTERs in place yet in PG13).
- Mark extension as trusted.
- Release 3.3.
--
Darafei "Komяpa" Praliaskouski
OSM BY Team - http://openstreetmap.by/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/postgis-devel/attachments/20210308/d7258552/attachment-0001.html>
More information about the postgis-devel
mailing list