On Tue, Jul 17, 2018 at 1:20 AM, Craig Ringer <craig@2ndquadrant.com> wrote:
> Forcing users to create their PLs as a superuser increases the routine use
> of superuser accounts. Most users' DDL deploy scripts will get be run as a
> superuser if they have to use a superuser for PL changes; they're not going
> to SET ROLE and RESET ROLE around the function changes.
>
> It also encourages users to make their untrusted functions SECURITY DEFINER
> when still owned by a superuser, which we really don't want them doing
> unnecessarily.
>
> In the name of making things more secure, we've made them less secure.
>
> Untrusted PLs should be GRANTable with a NOTICE or WARNING telling the admin
> that GRANTing an untrusted PL effectively gives the user the ability to
> escape to superuser.
+1.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company