Opened 14 months ago
Closed 10 months ago
#5567 closed enhancement (wontfix)
Mark PostGIS extensions as trusted ( PG13+ )
Reported by: | strk | Owned by: | strk |
---|---|---|---|
Priority: | medium | Milestone: | PostGIS 3.5.0 |
Component: | postgis | Version: | master |
Keywords: | Cc: |
Description
PostgreSQL 13 introduced the concept of "trusted" extensions: https://www.postgresql.org/docs/13/extend-extensions.html
I guess PostGIS could be marked as trusted, effectively allowing unprivileged users to install the extension.
It may also simplify sandboxed environment testing (or fix related bugs) - see #5566
Change History (7)
comment:1 by , 14 months ago
comment:2 by , 14 months ago
Owner: | changed from | to
---|
@strk,
I haven't read thru all the ramifications of what that allows or does not allow. So I'd rather we not do it. May never make sense to do it.
I think we should test with #5566 before we venture down that path.
follow-up: 7 comment:6 by , 10 months ago
https://www.postgresql.org/docs/13/extend-extensions.html mentions "Generally, this should not be set true for extensions that could allow access to otherwise-superuser-only abilities, such as file system access." So obviously you don't want postgis_raster to be trusted (at least when out_db support is enabled). But even regular postgis can access files like using ST_Transform() with a PROJ.4 string using +nadgrids=/some/path . ST_TransformPipeline() can also use various PROJ operations that load grids or JSON files.
comment:7 by , 10 months ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Replying to rouault:
https://www.postgresql.org/docs/13/extend-extensions.html mentions "Generally, this should not be set true for extensions that could allow access to otherwise-superuser-only abilities, such as file system access." So obviously you don't want postgis_raster to be trusted (at least when out_db support is enabled). But even regular postgis can access files like using ST_Transform() with a PROJ.4 string using +nadgrids=/some/path . ST_TransformPipeline() can also use various PROJ operations that load grids or JSON files.
Thanks for the input. Yah given all that I think we should definitely stay untrusted. If a sysadmin really wants to mark our extensions trusted, they can do so by changing the extension file.
No don't do it.