mirror of
https://github.com/postgres/postgres.git
synced 2025-06-05 23:56:58 +03:00
96cbfe92d7
Hostile objects located within the installation-time search_path could capture references in an extension's installation or upgrade script. If the extension is being installed with superuser privileges, this opens the door to privilege escalation. While such hazards have existed all along, their urgency increases with the v13 "trusted extensions" feature, because that lets a non-superuser control the installation path for a superuser-privileged script. Therefore, make a number of changes to make such situations more secure: * Tweak the construction of the installation-time search_path to ensure that references to objects in pg_catalog can't be subverted; and explicitly add pg_temp to the end of the path to prevent attacks using temporary objects. * Disable check_function_bodies within installation/upgrade scripts, so that any security gaps in SQL-language or PL-language function bodies cannot create a risk of unwanted installation-time code execution. * Adjust lookup of type input/receive functions and join estimator functions to complain if there are multiple candidate functions. This prevents capture of references to functions whose signature is not the first one checked; and it's arguably more user-friendly anyway. * Modify various contrib upgrade scripts to ensure that catalog modification queries are executed with secure search paths. (These are in-place modifications with no extension version changes, since it is the update process itself that is at issue, not the end result.) Extensions that depend on other extensions cannot be made fully secure by these methods alone; therefore, revert the "trusted" marking that commit eb67623c9 applied to earthdistance and hstore_plperl, pending some better solution to that set of issues. Also add documentation around these issues, to help extension authors write secure installation scripts. Patch by me, following an observation by Andres Freund; thanks to Noah Misch for review. Security: CVE-2020-14350
275 lines
10 KiB
Plaintext
275 lines
10 KiB
Plaintext
<!--
|
|
doc/src/sgml/ref/create_extension.sgml
|
|
PostgreSQL documentation
|
|
-->
|
|
|
|
<refentry id="SQL-CREATEEXTENSION">
|
|
<indexterm zone="sql-createextension">
|
|
<primary>CREATE EXTENSION</primary>
|
|
</indexterm>
|
|
|
|
<refmeta>
|
|
<refentrytitle>CREATE EXTENSION</refentrytitle>
|
|
<manvolnum>7</manvolnum>
|
|
<refmiscinfo>SQL - Language Statements</refmiscinfo>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>CREATE EXTENSION</refname>
|
|
<refpurpose>install an extension</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<synopsis>
|
|
CREATE EXTENSION [ IF NOT EXISTS ] <replaceable class="parameter">extension_name</replaceable>
|
|
[ WITH ] [ SCHEMA <replaceable class="parameter">schema_name</replaceable> ]
|
|
[ VERSION <replaceable class="parameter">version</replaceable> ]
|
|
[ FROM <replaceable class="parameter">old_version</replaceable> ]
|
|
[ CASCADE ]
|
|
</synopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>
|
|
<command>CREATE EXTENSION</command> loads a new extension into the current
|
|
database. There must not be an extension of the same name already loaded.
|
|
</para>
|
|
|
|
<para>
|
|
Loading an extension essentially amounts to running the extension's script
|
|
file. The script will typically create new <acronym>SQL</> objects such as
|
|
functions, data types, operators and index support methods.
|
|
<command>CREATE EXTENSION</command> additionally records the identities
|
|
of all the created objects, so that they can be dropped again if
|
|
<command>DROP EXTENSION</command> is issued.
|
|
</para>
|
|
|
|
<para>
|
|
Loading an extension requires the same privileges that would be
|
|
required to create its component objects. For most extensions this
|
|
means superuser or database owner privileges are needed.
|
|
The user who runs <command>CREATE EXTENSION</command> becomes the
|
|
owner of the extension for purposes of later privilege checks, as well
|
|
as the owner of any objects created by the extension's script.
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Parameters</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><literal>IF NOT EXISTS</></term>
|
|
<listitem>
|
|
<para>
|
|
Do not throw an error if an extension with the same name already
|
|
exists. A notice is issued in this case. Note that there is no
|
|
guarantee that the existing extension is anything like the one that
|
|
would have been created from the currently-available script file.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><replaceable class="parameter">extension_name</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
The name of the extension to be
|
|
installed. <productname>PostgreSQL</productname> will create the
|
|
extension using details from the file
|
|
<literal>SHAREDIR/extension/</literal><replaceable class="parameter">extension_name</replaceable><literal>.control</literal>.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><replaceable class="parameter">schema_name</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
The name of the schema in which to install the extension's
|
|
objects, given that the extension allows its contents to be
|
|
relocated. The named schema must already exist.
|
|
If not specified, and the extension's control file does not specify a
|
|
schema either, the current default object creation schema is used.
|
|
</para>
|
|
|
|
<para>
|
|
If the extension specifies a <literal>schema</> parameter in its
|
|
control file, then that schema cannot be overridden with
|
|
a <literal>SCHEMA</> clause. Normally, an error will be raised if
|
|
a <literal>SCHEMA</> clause is given and it conflicts with the
|
|
extension's <literal>schema</> parameter. However, if
|
|
the <literal>CASCADE</> clause is also given,
|
|
then <replaceable class="parameter">schema_name</replaceable> is
|
|
ignored when it conflicts. The
|
|
given <replaceable class="parameter">schema_name</replaceable> will be
|
|
used for installation of any needed extensions that do not
|
|
specify <literal>schema</> in their control files.
|
|
</para>
|
|
|
|
<para>
|
|
Remember that the extension itself is not considered to be within any
|
|
schema: extensions have unqualified names that must be unique
|
|
database-wide. But objects belonging to the extension can be within
|
|
schemas.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><replaceable class="parameter">version</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
The version of the extension to install. This can be written as
|
|
either an identifier or a string literal. The default version is
|
|
whatever is specified in the extension's control file.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><replaceable class="parameter">old_version</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
<literal>FROM</> <replaceable class="parameter">old_version</>
|
|
must be specified when, and only when, you are attempting to install
|
|
an extension that replaces an <quote>old style</> module that is just
|
|
a collection of objects not packaged into an extension. This option
|
|
causes <command>CREATE EXTENSION</> to run an alternative installation
|
|
script that absorbs the existing objects into the extension, instead
|
|
of creating new objects. Be careful that <literal>SCHEMA</> specifies
|
|
the schema containing these pre-existing objects.
|
|
</para>
|
|
|
|
<para>
|
|
The value to use for <replaceable
|
|
class="parameter">old_version</replaceable> is determined by the
|
|
extension's author, and might vary if there is more than one version
|
|
of the old-style module that can be upgraded into an extension.
|
|
For the standard additional modules supplied with pre-9.1
|
|
<productname>PostgreSQL</productname>, use <literal>unpackaged</>
|
|
for <replaceable class="parameter">old_version</replaceable> when
|
|
updating a module to extension style.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><literal>CASCADE</></term>
|
|
<listitem>
|
|
<para>
|
|
Automatically install any extensions that this extension depends on
|
|
that are not already installed. Their dependencies are likewise
|
|
automatically installed, recursively. The <literal>SCHEMA</> clause,
|
|
if given, applies to all extensions that get installed this way.
|
|
Other options of the statement are not applied to
|
|
automatically-installed extensions; in particular, their default
|
|
versions are always selected.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Notes</title>
|
|
|
|
<para>
|
|
Before you can use <command>CREATE EXTENSION</> to load an extension
|
|
into a database, the extension's supporting files must be installed.
|
|
Information about installing the extensions supplied with
|
|
<productname>PostgreSQL</productname> can be found in
|
|
<link linkend="contrib">Additional Supplied Modules</link>.
|
|
</para>
|
|
|
|
<para>
|
|
The extensions currently available for loading can be identified from the
|
|
<link linkend="view-pg-available-extensions"><structname>pg_available_extensions</structname></link>
|
|
or
|
|
<link linkend="view-pg-available-extension-versions"><structname>pg_available_extension_versions</structname></link>
|
|
system views.
|
|
</para>
|
|
|
|
<caution>
|
|
<para>
|
|
Installing an extension as superuser requires trusting that the
|
|
extension's author wrote the extension installation script in a secure
|
|
fashion. It is not terribly difficult for a malicious user to create
|
|
trojan-horse objects that will compromise later execution of a
|
|
carelessly-written extension script, allowing that user to acquire
|
|
superuser privileges. However, trojan-horse objects are only hazardous
|
|
if they are in the <varname>search_path</varname> during script
|
|
execution, meaning that they are in the extension's installation target
|
|
schema or in the schema of some extension it depends on. Therefore, a
|
|
good rule of thumb when dealing with extensions whose scripts have not
|
|
been carefully vetted is to install them only into schemas for which
|
|
CREATE privilege has not been and will not be granted to any untrusted
|
|
users. Likewise for any extensions they depend on.
|
|
</para>
|
|
|
|
<para>
|
|
The extensions supplied with <productname>PostgreSQL</productname> are
|
|
believed to be secure against installation-time attacks of this sort,
|
|
except for a few that depend on other extensions. As stated in the
|
|
documentation for those extensions, they should be installed into secure
|
|
schemas, or installed into the same schemas as the extensions they
|
|
depend on, or both.
|
|
</para>
|
|
</caution>
|
|
|
|
<para>
|
|
For information about writing new extensions, see
|
|
<xref linkend="extend-extensions">.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Examples</title>
|
|
|
|
<para>
|
|
Install the <link linkend="hstore">hstore</link> extension into the
|
|
current database, placing its objects in schema <literal>addons</literal>:
|
|
<programlisting>
|
|
CREATE EXTENSION hstore SCHEMA addons;
|
|
</programlisting>
|
|
Another way to accomplish the same thing:
|
|
<programlisting>
|
|
SET search_path = addons;
|
|
CREATE EXTENSION hstore;
|
|
</programlisting>
|
|
</para>
|
|
|
|
<para>
|
|
Update a pre-9.1 installation of <literal>hstore</> into
|
|
extension style:
|
|
<programlisting>
|
|
CREATE EXTENSION hstore SCHEMA public FROM unpackaged;
|
|
</programlisting>
|
|
Be careful to specify the schema in which you installed the existing
|
|
<literal>hstore</> objects.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Compatibility</title>
|
|
|
|
<para>
|
|
<command>CREATE EXTENSION</command> is a <productname>PostgreSQL</>
|
|
extension.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
|
|
<simplelist type="inline">
|
|
<member><xref linkend="sql-alterextension"></member>
|
|
<member><xref linkend="sql-dropextension"></member>
|
|
</simplelist>
|
|
</refsect1>
|
|
|
|
</refentry>
|