Home Explore Blog CI



postgresql
4th chunk of `doc/src/sgml/ref/create_extension.sgml`
0421acac4e0368bf22de509ede711ebf1ac69802d3c70cf60000000100000c0a
 </refsect1>

 <refsect1>
  <title>Notes</title>

  <para>
   Before you can use <command>CREATE EXTENSION</command> to load an extension
   into a database, the extension's supporting files must be installed.
   Information about installing the extensions supplied with
   <productname>PostgreSQL</productname> can be found in
   <link linkend="contrib">Additional Supplied Modules</link>.
  </para>

  <para>
   The extensions currently available for loading can be identified from the
   <link linkend="view-pg-available-extensions"><structname>pg_available_extensions</structname></link>
   or
   <link linkend="view-pg-available-extension-versions"><structname>pg_available_extension_versions</structname></link>
   system views.
  </para>

  <caution>
   <para>
    Installing an extension as superuser requires trusting that the
    extension's author wrote the extension installation script in a secure
    fashion.  It is not terribly difficult for a malicious user to create
    trojan-horse objects that will compromise later execution of a
    carelessly-written extension script, allowing that user to acquire
    superuser privileges.  However, trojan-horse objects are only hazardous
    if they are in the <varname>search_path</varname> during script
    execution, meaning that they are in the extension's installation target
    schema or in the schema of some extension it depends on.  Therefore, a
    good rule of thumb when dealing with extensions whose scripts have not
    been carefully vetted is to install them only into schemas for which
    CREATE privilege has not been and will not be granted to any untrusted
    users.  Likewise for any extensions they depend on.
   </para>

   <para>
    The extensions supplied with <productname>PostgreSQL</productname> are
    believed to be secure against installation-time attacks of this sort,
    except for a few that depend on other extensions.  As stated in the
    documentation for those extensions, they should be installed into secure
    schemas, or installed into the same schemas as the extensions they
    depend on, or both.
   </para>
  </caution>

  <para>
   For information about writing new extensions, see
   <xref linkend="extend-extensions"/>.
  </para>
 </refsect1>

 <refsect1>
  <title>Examples</title>

  <para>
   Install the <link linkend="hstore">hstore</link> extension into the
   current database, placing its objects in schema <literal>addons</literal>:
<programlisting>
CREATE EXTENSION hstore SCHEMA addons;
</programlisting>
   Another way to accomplish the same thing:
<programlisting>
SET search_path = addons;
CREATE EXTENSION hstore;
</programlisting></para>
 </refsect1>

 <refsect1>
  <title>Compatibility</title>

  <para>
   <command>CREATE EXTENSION</command> is a <productname>PostgreSQL</productname>
   extension.
  </para>
 </refsect1>

 <refsect1>
  <title>See Also</title>

  <simplelist type="inline">
   <member><xref linkend="sql-alterextension"/></member>
   <member><xref linkend="sql-dropextension"/></member>
  </simplelist>
 </refsect1>

</refentry>
Title: CREATE EXTENSION: Security, Examples, Compatibility, and See Also
Summary
This section expands on the notes for CREATE EXTENSION, cautioning against security risks when installing extensions as superuser due to potential trojan-horse objects. It recommends installing unvetted extensions into secure schemas. It also provides an example of installing the hstore extension and mentions resources for writing new extensions. The section concludes with compatibility information and related commands.