Mark some contrib modules as "trusted".

This allows these modules to be installed into a database without superuser privileges (assuming that the DBA or sysadmin has installed the module's files in the expected place). You only need CREATE privilege on the current database, which by default would be available to the database owner. The following modules are marked trusted: btree_gin btree_gist citext cube dict_int earthdistance fuzzystrmatch hstore hstore_plperl intarray isn jsonb_plperl lo ltree pg_trgm pgcrypto seg tablefunc tcn tsm_system_rows tsm_system_time unaccent uuid-ossp In the future we might mark some more modules trusted, but there seems to be no debate about these, and on the whole it seems wise to be conservative with use of this feature to start out with. Discussion: https://postgr.es/m/32315.1580326876@sss.pgh.pa.us
2020-02-13 15:02:35 -05:00 · 2020-02-13 15:02:35 -05:00 · eb67623c96
parent 7fdd919ae7
commit eb67623c96
46 changed files with 174 additions and 4 deletions
--- a/contrib/btree_gin/btree_gin.control
+++ b/contrib/btree_gin/btree_gin.control
@ -3,3 +3,4 @@ comment = 'support for indexing common datatypes in GIN'
 default_version = '1.3'
 module_pathname = '$libdir/btree_gin'
 relocatable = true
+trusted = true
--- a/contrib/btree_gist/btree_gist.control
+++ b/contrib/btree_gist/btree_gist.control
@ -3,3 +3,4 @@ comment = 'support for indexing common datatypes in GiST'
 default_version = '1.5'
 module_pathname = '$libdir/btree_gist'
 relocatable = true
+trusted = true
--- a/contrib/citext/citext.control
+++ b/contrib/citext/citext.control
@ -3,3 +3,4 @@ comment = 'data type for case-insensitive character strings'
 default_version = '1.6'
 module_pathname = '$libdir/citext'
 relocatable = true
+trusted = true
--- a/contrib/cube/cube.control
+++ b/contrib/cube/cube.control
@ -3,3 +3,4 @@ comment = 'data type for multidimensional cubes'
 default_version = '1.4'
 module_pathname = '$libdir/cube'
 relocatable = true
+trusted = true
--- a/contrib/dict_int/dict_int.control
+++ b/contrib/dict_int/dict_int.control
@ -3,3 +3,4 @@ comment = 'text search dictionary template for integers'
 default_version = '1.0'
 module_pathname = '$libdir/dict_int'
 relocatable = true
+trusted = true
--- a/contrib/earthdistance/earthdistance.control
+++ b/contrib/earthdistance/earthdistance.control
@ -3,4 +3,5 @@ comment = 'calculate great-circle distances on the surface of the Earth'
 default_version = '1.1'
 module_pathname = '$libdir/earthdistance'
 relocatable = true
+trusted = true
 requires = 'cube'
--- a/contrib/fuzzystrmatch/fuzzystrmatch.control
+++ b/contrib/fuzzystrmatch/fuzzystrmatch.control
@ -3,3 +3,4 @@ comment = 'determine similarities and distance between strings'
 default_version = '1.1'
 module_pathname = '$libdir/fuzzystrmatch'
 relocatable = true
+trusted = true
--- a/contrib/hstore/hstore.control
+++ b/contrib/hstore/hstore.control
@ -3,3 +3,4 @@ comment = 'data type for storing sets of (key, value) pairs'
 default_version = '1.6'
 module_pathname = '$libdir/hstore'
 relocatable = true
+trusted = true
--- a/contrib/hstore_plperl/hstore_plperl.control
+++ b/contrib/hstore_plperl/hstore_plperl.control
@ -3,4 +3,5 @@ comment = 'transform between hstore and plperl'
 default_version = '1.0'
 module_pathname = '$libdir/hstore_plperl'
 relocatable = true
+trusted = true
 requires = 'hstore,plperl'
--- a/contrib/intarray/intarray.control
+++ b/contrib/intarray/intarray.control
@ -3,3 +3,4 @@ comment = 'functions, operators, and index support for 1-D arrays of integers'
 default_version = '1.2'
 module_pathname = '$libdir/_int'
 relocatable = true
+trusted = true
--- a/contrib/isn/isn.control
+++ b/contrib/isn/isn.control
@ -3,3 +3,4 @@ comment = 'data types for international product numbering standards'
 default_version = '1.2'
 module_pathname = '$libdir/isn'
 relocatable = true
+trusted = true
--- a/contrib/jsonb_plperl/jsonb_plperl.control
+++ b/contrib/jsonb_plperl/jsonb_plperl.control
@ -3,4 +3,5 @@ comment = 'transform between jsonb and plperl'
 default_version = '1.0'
 module_pathname = '$libdir/jsonb_plperl'
 relocatable = true
+trusted = true
 requires = 'plperl'
--- a/contrib/lo/lo.control
+++ b/contrib/lo/lo.control
@ -3,3 +3,4 @@ comment = 'Large Object maintenance'
 default_version = '1.1'
 module_pathname = '$libdir/lo'
 relocatable = true
+trusted = true
--- a/contrib/ltree/ltree.control
+++ b/contrib/ltree/ltree.control
@ -3,3 +3,4 @@ comment = 'data type for hierarchical tree-like structures'
 default_version = '1.1'
 module_pathname = '$libdir/ltree'
 relocatable = true
+trusted = true
--- a/contrib/pg_trgm/pg_trgm.control
+++ b/contrib/pg_trgm/pg_trgm.control
@ -3,3 +3,4 @@ comment = 'text similarity measurement and index searching based on trigrams'
 default_version = '1.4'
 module_pathname = '$libdir/pg_trgm'
 relocatable = true
+trusted = true
--- a/contrib/pgcrypto/pgcrypto.control
+++ b/contrib/pgcrypto/pgcrypto.control
@ -3,3 +3,4 @@ comment = 'cryptographic functions'
 default_version = '1.3'
 module_pathname = '$libdir/pgcrypto'
 relocatable = true
+trusted = true
--- a/contrib/seg/seg.control
+++ b/contrib/seg/seg.control
@ -3,3 +3,4 @@ comment = 'data type for representing line segments or floating-point intervals'
 default_version = '1.3'
 module_pathname = '$libdir/seg'
 relocatable = true
+trusted = true
--- a/contrib/tablefunc/tablefunc.control
+++ b/contrib/tablefunc/tablefunc.control
@ -3,3 +3,4 @@ comment = 'functions that manipulate whole tables, including crosstab'
 default_version = '1.0'
 module_pathname = '$libdir/tablefunc'
 relocatable = true
+trusted = true
--- a/contrib/tcn/tcn.control
+++ b/contrib/tcn/tcn.control
@ -3,3 +3,4 @@ comment = 'Triggered change notifications'
 default_version = '1.0'
 module_pathname = '$libdir/tcn'
 relocatable = true
+trusted = true
--- a/contrib/tsm_system_rows/tsm_system_rows.control
+++ b/contrib/tsm_system_rows/tsm_system_rows.control
@ -3,3 +3,4 @@ comment = 'TABLESAMPLE method which accepts number of rows as a limit'
 default_version = '1.0'
 module_pathname = '$libdir/tsm_system_rows'
 relocatable = true
+trusted = true
--- a/contrib/tsm_system_time/tsm_system_time.control
+++ b/contrib/tsm_system_time/tsm_system_time.control
@ -3,3 +3,4 @@ comment = 'TABLESAMPLE method which accepts time in milliseconds as a limit'
 default_version = '1.0'
 module_pathname = '$libdir/tsm_system_time'
 relocatable = true
+trusted = true
--- a/contrib/unaccent/unaccent.control
+++ b/contrib/unaccent/unaccent.control
@ -3,3 +3,4 @@ comment = 'text search dictionary that removes accents'
 default_version = '1.1'
 module_pathname = '$libdir/unaccent'
 relocatable = true
+trusted = true
--- a/contrib/uuid-ossp/uuid-ossp.control
+++ b/contrib/uuid-ossp/uuid-ossp.control
@ -3,3 +3,4 @@ comment = 'generate universally unique identifiers (UUIDs)'
 default_version = '1.1'
 module_pathname = '$libdir/uuid-ossp'
 relocatable = true
+trusted = true
--- a/doc/src/sgml/btree-gin.sgml
+++ b/doc/src/sgml/btree-gin.sgml
@ -32,6 +32,12 @@
  two separate indexes that would have to be combined via bitmap ANDing.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Example Usage</title>

--- a/doc/src/sgml/btree-gist.sgml
+++ b/doc/src/sgml/btree-gist.sgml
@ -52,6 +52,12 @@
  <type>oid</type>, and <type>money</type>.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Example Usage</title>

--- a/doc/src/sgml/citext.sgml
+++ b/doc/src/sgml/citext.sgml
@ -24,6 +24,12 @@
  </para>
 </tip>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Rationale</title>

--- a/doc/src/sgml/contrib.sgml
+++ b/doc/src/sgml/contrib.sgml
@ -54,7 +54,7 @@
  Many modules supply new user-defined functions, operators, or types.
  To make use of one of these modules, after you have installed the code
  you need to register the new SQL objects in the database system.
-  In <productname>PostgreSQL</productname> 9.1 and later, this is done by executing
+  This is done by executing
  a <xref linkend="sql-createextension"/> command.  In a fresh database,
  you can simply do

@ -62,14 +62,23 @@
 CREATE EXTENSION <replaceable>module_name</replaceable>;
 </programlisting>

-  This command must be run by a database superuser.  This registers the
-  new SQL objects in the current database only, so you need to run this
-  command in each database that you want
+  This command registers the new SQL objects in the current database only,
+  so you need to run it in each database that you want
  the module's facilities to be available in.  Alternatively, run it in
  database <literal>template1</literal> so that the extension will be copied into
  subsequently-created databases by default.
 </para>

+ <para>
+  For all these modules, <command>CREATE EXTENSION</command> must be run
+  by a database superuser, unless the module is
+  considered <quote>trusted</quote>, in which case it can be run by any
+  user who has <literal>CREATE</literal> privilege on the current
+  database.  Modules that are trusted are identified as such in the
+  sections that follow.  Generally, trusted modules are ones that cannot
+  provide access to outside-the-database functionality.
+ </para>
+
 <para>
  Many modules allow you to install their objects in a schema of your
  choice.  To do that, add <literal>SCHEMA
--- a/doc/src/sgml/cube.sgml
+++ b/doc/src/sgml/cube.sgml
@ -12,6 +12,12 @@
  representing multidimensional cubes.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Syntax</title>

--- a/doc/src/sgml/dict-int.sgml
+++ b/doc/src/sgml/dict-int.sgml
@ -15,6 +15,12 @@
  unique words, which greatly affects the performance of searching.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Configuration</title>

--- a/doc/src/sgml/earthdistance.sgml
+++ b/doc/src/sgml/earthdistance.sgml
@ -23,6 +23,12 @@
  project.)
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Cube-Based Earth Distances</title>

--- a/doc/src/sgml/fuzzystrmatch.sgml
+++ b/doc/src/sgml/fuzzystrmatch.sgml
@ -20,6 +20,12 @@
  </para>
 </caution>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Soundex</title>

--- a/doc/src/sgml/hstore.sgml
+++ b/doc/src/sgml/hstore.sgml
@ -15,6 +15,12 @@
  simply text strings.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title><type>hstore</type> External Representation</title>

@ -633,6 +639,11 @@ ALTER TABLE tablename ALTER hstorecol TYPE hstore USING hstorecol || '';
   convention).  If you use them, <type>hstore</type> values are mapped to
   Python dictionaries.
  </para>
+
+  <para>
+   Of these additional extensions, <literal>hstore_plperl</literal> is
+   considered trusted; the rest are not.
+  </para>
 </sect2>

 <sect2>
--- a/doc/src/sgml/intarray.sgml
+++ b/doc/src/sgml/intarray.sgml
@ -24,6 +24,12 @@
  treated as though it were a linear array in storage order.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title><filename>intarray</filename> Functions and Operators</title>

--- a/doc/src/sgml/isn.sgml
+++ b/doc/src/sgml/isn.sgml
@ -21,6 +21,12 @@
  dropped from a future version of this module.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Data Types</title>

--- a/doc/src/sgml/json.sgml
+++ b/doc/src/sgml/json.sgml
@ -622,6 +622,13 @@ SELECT jdoc-&gt;'guid', jdoc-&gt;'name' FROM api WHERE jdoc @&gt; '{"tags": ["qu
   use them, <type>jsonb</type> values are mapped to Python dictionaries,
   lists, and scalars, as appropriate.
  </para>
+
+  <para>
+   Of these extensions, <literal>jsonb_plperl</literal> is
+   considered <quote>trusted</quote>, that is, it can be installed by
+   non-superusers who have <literal>CREATE</literal> privilege on the
+   current database.  The rest require superuser privilege to install.
+  </para>
 </sect2>

 <sect2 id="datatype-jsonpath">
--- a/doc/src/sgml/lo.sgml
+++ b/doc/src/sgml/lo.sgml
@ -13,6 +13,12 @@
  and a trigger <function>lo_manage</function>.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Rationale</title>

--- a/doc/src/sgml/ltree.sgml
+++ b/doc/src/sgml/ltree.sgml
@ -13,6 +13,12 @@
  Extensive facilities for searching through label trees are provided.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Definitions</title>

--- a/doc/src/sgml/pgcrypto.sgml
+++ b/doc/src/sgml/pgcrypto.sgml
@ -17,6 +17,12 @@
  <productname>PostgreSQL</productname>.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>General Hashing Functions</title>

--- a/doc/src/sgml/pgtrgm.sgml
+++ b/doc/src/sgml/pgtrgm.sgml
@ -15,6 +15,12 @@
  strings.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Trigram (or Trigraph) Concepts</title>

--- a/doc/src/sgml/seg.sgml
+++ b/doc/src/sgml/seg.sgml
@ -14,6 +14,12 @@
  making it especially useful for representing laboratory measurements.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Rationale</title>

--- a/doc/src/sgml/tablefunc.sgml
+++ b/doc/src/sgml/tablefunc.sgml
@ -14,6 +14,12 @@
  multiple rows.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Functions Provided</title>

--- a/doc/src/sgml/tcn.sgml
+++ b/doc/src/sgml/tcn.sgml
@ -17,6 +17,12 @@
  used as an <literal>AFTER</literal> trigger <literal>FOR EACH ROW</literal>.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <para>
  Only one parameter may be supplied to the function in a
  <literal>CREATE TRIGGER</literal> statement, and that is optional.  If supplied
--- a/doc/src/sgml/tsm-system-rows.sgml
+++ b/doc/src/sgml/tsm-system-rows.sgml
@ -33,6 +33,12 @@
  the <literal>REPEATABLE</literal> clause.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Examples</title>

--- a/doc/src/sgml/tsm-system-time.sgml
+++ b/doc/src/sgml/tsm-system-time.sgml
@ -35,6 +35,12 @@
  the <literal>REPEATABLE</literal> clause.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Examples</title>

--- a/doc/src/sgml/unaccent.sgml
+++ b/doc/src/sgml/unaccent.sgml
@ -21,6 +21,12 @@
  normalizing dictionary for the <filename>thesaurus</filename> dictionary.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title>Configuration</title>

--- a/doc/src/sgml/uuid-ossp.sgml
+++ b/doc/src/sgml/uuid-ossp.sgml
@ -16,6 +16,12 @@
  linkend="functions-uuid"/> for built-in ways to generate UUIDs.
 </para>

+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
 <sect2>
  <title><literal>uuid-ossp</literal> Functions</title>