> On Nov 7, 2022, at 17:43, Jan Bilek <jan.bi...@eftlab.com.au> wrote:
>
> Well, superuser (our App) is already logged in and as it is designed
> very much as an "appliance" it simply does that job - manages its
> database.
Well... don't do that. :) The problem is analogous to having root log into a
Linux box and run application commands. It works, but it opens a security
hole, as you've discovered.
> Yes, agreed. Any ideas?
In this particular case (creating an untrusted PL and functions therein),
you'll need to use a PostgreSQL superuser. This is a separate operation from
routine application use, though. (I'll note that having functions in an
untrusted PL in a PCI-sensitive system is not a great idea, as you'll need to
audit them very closely to make sure that they can't do anything untoward
outside the role system.)
