Permalink
Browse files

PostgreSQL 9.1 extension to implement CREATE EXTENSION whitelisting.

  • Loading branch information...
0 parents commit a744db9a793caa41d34669af2c623ea6a8b8c71e @dimitri committed Dec 11, 2011
Showing with 441 additions and 0 deletions.
  1. +1 −0 .gitignore
  2. +6 −0 Makefile
  3. +132 −0 README.asciidoc
  4. +302 −0 pgextwlist.c
@@ -0,0 +1 @@
+pgextwlist.so
@@ -0,0 +1,6 @@
+MODULES = pgextwlist
+DOCS = README.asciidoc
+
+PG_CONFIG = pg_config
+PGXS = $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
@@ -0,0 +1,132 @@
+= pg_ext_whitelist
+
+This extension implements extension whitelisting, and will actively prevent
+users from installing extensions not in the provided list. Also, this
+extension implements a form of +sudo+ facility in that the whitelisted
+extensions will get installed as if superuser. Privileges are droped before
+handing the control back to the user.
+
+== Install
+
+You should have received that as a debian package or equivalent:
+
+ apt-get install postgresql-9.1-extension-whitelist
+
+If that's not the case, install the server development packages then:
+
+ make
+ sudo make install
+
+== Setup
+
+You need to define the list of extensions that are whitelisted, the user
+that performs the extension installing, and the error behavior.
+
+local_preload_libraries::
+
+ Add +pgextwlist+ to the +local_preload_libraries+ setting.
+
+custom_variable_classes::
+
+ Add +extwlist+ to the +custom_variable_classes+ setting if you're using
+ 9.1, in 9.2 this setting disapeared.
+
+extwlist.extensions::
+
+ List of extensions allowed for installation.
+
+extwlist.error::
+
+ When set to +true+, an error is raised when attempting to install an
+ extension not in the whitelist. When set to +false+, a +WARNING+ is
+ raised, thus allowing the current transaction to silently continue.
+ Defaults to +true+.
+
+== Usage
+
+That's quite simple:
+
+ $ edit postgresql.conf, custom_variable_classes and extwlist.*
+
+ dim=# show extwlist.extensions;
+ show extwlist.extensions;
+ extwlist.extensions
+ ---------------------
+ hstore,cube
+ (1 row)
+
+ dim=# show extwlist.error;
+ show extwlist.error;
+ extwlist.error
+ ----------------
+ on
+ (1 row)
+
+ dim=# create extension foo;
+ create extension foo;
+ ERROR: extension "foo" is not whitelisted
+
+ dim=# set extwlist.error to false;
+ set extwlist.error to false;
+ SET
+
+ dim=# create extension foo;
+ create extension foo;
+ WARNING: extension "foo" is not whitelisted
+ CREATE EXTENSION
+
+ dim=# create extension hstore;
+ create extension hstore;
+ WARNING: => is deprecated as an operator name
+ DETAIL: This name may be disallowed altogether in future versions of PostgreSQL.
+ CREATE EXTENSION
+ dim=# \dx
+ \dx
+ List of installed extensions
+ Name | Version | Schema | Description
+ ---------+---------+------------+--------------------------------------------------
+ hstore | 1.0 | public | data type for storing sets of (key, value) pairs
+ plpgsql | 1.0 | pg_catalog | PL/pgSQL procedural language
+ (2 rows)
+
+Even if you're not superuser:
+
+ dim=> select rolsuper from pg_roles where rolname = current_user;
+ select rolsuper from pg_roles where rolname = current_user;
+ rolsuper
+ ----------
+ f
+ (1 row)
+
+ dim=> create extension hstore;
+ create extension hstore;
+ WARNING: => is deprecated as an operator name
+ DETAIL: This name may be disallowed altogether in future versions of PostgreSQL.
+ CREATE EXTENSION
+ dim=> create extension earthdistance;
+ create extension earthdistance;
+ ERROR: extension "earthdistance" is not whitelisted
+ dim=> \dx
+ \dx
+ List of installed extensions
+ Name | Version | Schema | Description
+ ---------+---------+------------+--------------------------------------------------
+ hstore | 1.0 | public | data type for storing sets of (key, value) pairs
+ plpgsql | 1.0 | pg_catalog | PL/pgSQL procedural language
+ (2 rows)
+
+ dim=> drop extension hstore;
+ drop extension hstore;
+ DROP EXTENSION
+
+== Internals
+
+The whitelisting works by overloading the +ProcessUtility_hook+ and gaining
+control each time a utility statement is issued. When this statement is a
+CREATE EXTENSION, the extension's name is extracted from the +parsetree+ and
+checked against the whitelist.
+
+The +sudo+ part is not pretty. We edit the +rolsuper+ attribute directly in
+the catalogs then force a cache refresh and a CommandCounterIncrement() so
+that next commands consider we are a superuser. Then we edit the rolsuper
+attribute back to what it was before our command.
Oops, something went wrong.

0 comments on commit a744db9

Please sign in to comment.