Re: [HACKERS] unprivileged contrib and pl install

On Wed, 24 Jan 2007, Tom Lane wrote:

> Not the DB owner.  If you are worried about whether to allow use of PLs
> it's almost certainly an installation-wide security concern, so I'd say
> that the privilege has to flow from a superuser.
>
> GRANT CREATE ON LANGUAGE feeding into a flag bit in pltemplate would
> work, if restricted to superusers, but I suspect people would find this
> confusing because it'd work completely differently from GRANT USAGE ON
> LANGUAGE (eg, because the latter has only database-local effects).
> Might be better to use a different syntax.

I had thought that it would be database-local, but I understand now that
it makes more sense to be global.

>
> Note I'm not arguing against allowing it to be "on" by default, I just
> want to be sure there is a way for paranoid DBAs to turn it off.  Maybe
> it'd be sufficient if the flag bit was there but "UPDATE pg_pltemplate"
> was the only way to manipulate it --- we've gotten along with treating
> datistemplate and datallowconn that way.

That sounds reasonable to me.  I'll try to put together a patch like this
(adding a boolean column to pg_pltemplate) and see if this is acceptable.
I assume that only superusers can modify pg_pltemplate already ;)

> Or we could go the full nine yards and add ACLs to pltemplate, but
> that's probably overkill.

Agreed.

--
He thought he saw an albatross
That fluttered 'round the lamp.
He looked again and saw it was
A penny postage stamp.
"You'd best be getting home," he said,
"The nights are rather damp."