Mark some contrib modules as "trusted".

This allows these modules to be installed into a database without
superuser privileges (assuming that the DBA or sysadmin has installed
the module's files in the expected place).  You only need CREATE
privilege on the current database, which by default would be
available to the database owner.

The following modules are marked trusted:

btree_gin
btree_gist
citext
cube
dict_int
earthdistance
fuzzystrmatch
hstore
hstore_plperl
intarray
isn
jsonb_plperl
lo
ltree
pg_trgm
pgcrypto
seg
tablefunc
tcn
tsm_system_rows
tsm_system_time
unaccent
uuid-ossp

In the future we might mark some more modules trusted, but there
seems to be no debate about these, and on the whole it seems wise
to be conservative with use of this feature to start out with.

Discussion: https://postgr.es/m/32315.1580326876@sss.pgh.pa.us

contrib/btree_gin/btree_gin.control

@@ -3,3 +3,4 @@ comment = 'support for indexing common datatypes in GIN'
 default_version = '1.3'
 module_pathname = '$libdir/btree_gin'
 relocatable = true
+trusted = true

contrib/btree_gist/btree_gist.control

@@ -3,3 +3,4 @@ comment = 'support for indexing common datatypes in GiST'
 default_version = '1.5'
 module_pathname = '$libdir/btree_gist'
 relocatable = true
+trusted = true

contrib/citext/citext.control

@@ -3,3 +3,4 @@ comment = 'data type for case-insensitive character strings'
 default_version = '1.6'
 module_pathname = '$libdir/citext'
 relocatable = true
+trusted = true

contrib/cube/cube.control

@@ -3,3 +3,4 @@ comment = 'data type for multidimensional cubes'
 default_version = '1.4'
 module_pathname = '$libdir/cube'
 relocatable = true
+trusted = true

contrib/dict_int/dict_int.control

@@ -3,3 +3,4 @@ comment = 'text search dictionary template for integers'
 default_version = '1.0'
 module_pathname = '$libdir/dict_int'
 relocatable = true
+trusted = true

contrib/earthdistance/earthdistance.control

@@ -3,4 +3,5 @@ comment = 'calculate great-circle distances on the surface of the Earth'
 default_version = '1.1'
 module_pathname = '$libdir/earthdistance'
 relocatable = true
+trusted = true
 requires = 'cube'

contrib/fuzzystrmatch/fuzzystrmatch.control

@@ -3,3 +3,4 @@ comment = 'determine similarities and distance between strings'
 default_version = '1.1'
 module_pathname = '$libdir/fuzzystrmatch'
 relocatable = true
+trusted = true

contrib/hstore/hstore.control

@@ -3,3 +3,4 @@ comment = 'data type for storing sets of (key, value) pairs'
 default_version = '1.6'
 module_pathname = '$libdir/hstore'
 relocatable = true
+trusted = true

contrib/hstore_plperl/hstore_plperl.control

@@ -3,4 +3,5 @@ comment = 'transform between hstore and plperl'
 default_version = '1.0'
 module_pathname = '$libdir/hstore_plperl'
 relocatable = true
+trusted = true
 requires = 'hstore,plperl'

contrib/intarray/intarray.control

@@ -3,3 +3,4 @@ comment = 'functions, operators, and index support for 1-D arrays of integers'
 default_version = '1.2'
 module_pathname = '$libdir/_int'
 relocatable = true
+trusted = true

contrib/isn/isn.control

@@ -3,3 +3,4 @@ comment = 'data types for international product numbering standards'
 default_version = '1.2'
 module_pathname = '$libdir/isn'
 relocatable = true
+trusted = true

contrib/jsonb_plperl/jsonb_plperl.control

@@ -3,4 +3,5 @@ comment = 'transform between jsonb and plperl'
 default_version = '1.0'
 module_pathname = '$libdir/jsonb_plperl'
 relocatable = true
+trusted = true
 requires = 'plperl'

contrib/lo/lo.control

@@ -3,3 +3,4 @@ comment = 'Large Object maintenance'
 default_version = '1.1'
 module_pathname = '$libdir/lo'
 relocatable = true
+trusted = true

contrib/ltree/ltree.control

@@ -3,3 +3,4 @@ comment = 'data type for hierarchical tree-like structures'
 default_version = '1.1'
 module_pathname = '$libdir/ltree'
 relocatable = true
+trusted = true

contrib/pg_trgm/pg_trgm.control

@@ -3,3 +3,4 @@ comment = 'text similarity measurement and index searching based on trigrams'
 default_version = '1.4'
 module_pathname = '$libdir/pg_trgm'
 relocatable = true
+trusted = true

contrib/pgcrypto/pgcrypto.control

@@ -3,3 +3,4 @@ comment = 'cryptographic functions'
 default_version = '1.3'
 module_pathname = '$libdir/pgcrypto'
 relocatable = true
+trusted = true

contrib/seg/seg.control

@@ -3,3 +3,4 @@ comment = 'data type for representing line segments or floating-point intervals'
 default_version = '1.3'
 module_pathname = '$libdir/seg'
 relocatable = true
+trusted = true

contrib/tablefunc/tablefunc.control

@@ -3,3 +3,4 @@ comment = 'functions that manipulate whole tables, including crosstab'
 default_version = '1.0'
 module_pathname = '$libdir/tablefunc'
 relocatable = true
+trusted = true

contrib/tcn/tcn.control

@@ -3,3 +3,4 @@ comment = 'Triggered change notifications'
 default_version = '1.0'
 module_pathname = '$libdir/tcn'
 relocatable = true
+trusted = true

contrib/tsm_system_rows/tsm_system_rows.control

@@ -3,3 +3,4 @@ comment = 'TABLESAMPLE method which accepts number of rows as a limit'
 default_version = '1.0'
 module_pathname = '$libdir/tsm_system_rows'
 relocatable = true
+trusted = true

contrib/tsm_system_time/tsm_system_time.control

@@ -3,3 +3,4 @@ comment = 'TABLESAMPLE method which accepts time in milliseconds as a limit'
 default_version = '1.0'
 module_pathname = '$libdir/tsm_system_time'
 relocatable = true
+trusted = true

contrib/unaccent/unaccent.control

@@ -3,3 +3,4 @@ comment = 'text search dictionary that removes accents'
 default_version = '1.1'
 module_pathname = '$libdir/unaccent'
 relocatable = true
+trusted = true

contrib/uuid-ossp/uuid-ossp.control

@@ -3,3 +3,4 @@ comment = 'generate universally unique identifiers (UUIDs)'
 default_version = '1.1'
 module_pathname = '$libdir/uuid-ossp'
 relocatable = true
+trusted = true

doc/src/sgml/btree-gin.sgml

@@ -32,6 +32,12 @@
   two separate indexes that would have to be combined via bitmap ANDing.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Example Usage</title>
 

doc/src/sgml/btree-gist.sgml

@@ -52,6 +52,12 @@
   <type>oid</type>, and <type>money</type>.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Example Usage</title>
 

doc/src/sgml/citext.sgml

@@ -24,6 +24,12 @@
   </para>
  </tip>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Rationale</title>
 

doc/src/sgml/contrib.sgml

@@ -54,7 +54,7 @@
   Many modules supply new user-defined functions, operators, or types.
   To make use of one of these modules, after you have installed the code
   you need to register the new SQL objects in the database system.
-  In <productname>PostgreSQL</productname> 9.1 and later, this is done by executing
+  This is done by executing
   a <xref linkend="sql-createextension"/> command.  In a fresh database,
   you can simply do
 
@@ -62,14 +62,23 @@
 CREATE EXTENSION <replaceable>module_name</replaceable>;
 </programlisting>
 
-  This command must be run by a database superuser.  This registers the
-  new SQL objects in the current database only, so you need to run this
-  command in each database that you want
+  This command registers the new SQL objects in the current database only,
+  so you need to run it in each database that you want
   the module's facilities to be available in.  Alternatively, run it in
   database <literal>template1</literal> so that the extension will be copied into
   subsequently-created databases by default.
  </para>
 
+ <para>
+  For all these modules, <command>CREATE EXTENSION</command> must be run
+  by a database superuser, unless the module is
+  considered <quote>trusted</quote>, in which case it can be run by any
+  user who has <literal>CREATE</literal> privilege on the current
+  database.  Modules that are trusted are identified as such in the
+  sections that follow.  Generally, trusted modules are ones that cannot
+  provide access to outside-the-database functionality.
+ </para>
+
  <para>
   Many modules allow you to install their objects in a schema of your
   choice.  To do that, add <literal>SCHEMA

doc/src/sgml/cube.sgml

@@ -12,6 +12,12 @@
   representing multidimensional cubes.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Syntax</title>
 

doc/src/sgml/dict-int.sgml

@@ -15,6 +15,12 @@
   unique words, which greatly affects the performance of searching.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Configuration</title>
 

doc/src/sgml/earthdistance.sgml

@@ -23,6 +23,12 @@
   project.)
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Cube-Based Earth Distances</title>
 

doc/src/sgml/fuzzystrmatch.sgml

@@ -20,6 +20,12 @@
   </para>
  </caution>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Soundex</title>
 

doc/src/sgml/hstore.sgml

@@ -15,6 +15,12 @@
   simply text strings.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title><type>hstore</type> External Representation</title>
 
@@ -633,6 +639,11 @@ ALTER TABLE tablename ALTER hstorecol TYPE hstore USING hstorecol || '';
    convention).  If you use them, <type>hstore</type> values are mapped to
    Python dictionaries.
   </para>
+
+  <para>
+   Of these additional extensions, <literal>hstore_plperl</literal> is
+   considered trusted; the rest are not.
+  </para>
  </sect2>
 
  <sect2>

doc/src/sgml/intarray.sgml

@@ -24,6 +24,12 @@
   treated as though it were a linear array in storage order.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title><filename>intarray</filename> Functions and Operators</title>
 

doc/src/sgml/isn.sgml

@@ -21,6 +21,12 @@
   dropped from a future version of this module.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Data Types</title>
 

doc/src/sgml/json.sgml

@@ -622,6 +622,13 @@ SELECT jdoc->'guid', jdoc->'name' FROM api WHERE jdoc @> '{"tags": ["qu
    use them, <type>jsonb</type> values are mapped to Python dictionaries,
    lists, and scalars, as appropriate.
   </para>
+
+  <para>
+   Of these extensions, <literal>jsonb_plperl</literal> is
+   considered <quote>trusted</quote>, that is, it can be installed by
+   non-superusers who have <literal>CREATE</literal> privilege on the
+   current database.  The rest require superuser privilege to install.
+  </para>
  </sect2>
 
  <sect2 id="datatype-jsonpath">

doc/src/sgml/lo.sgml

@@ -13,6 +13,12 @@
   and a trigger <function>lo_manage</function>.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Rationale</title>
 

doc/src/sgml/ltree.sgml

@@ -13,6 +13,12 @@
   Extensive facilities for searching through label trees are provided.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Definitions</title>
 

doc/src/sgml/pgcrypto.sgml

@@ -17,6 +17,12 @@
   <productname>PostgreSQL</productname>.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>General Hashing Functions</title>
 

doc/src/sgml/pgtrgm.sgml

@@ -15,6 +15,12 @@
   strings.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Trigram (or Trigraph) Concepts</title>
 

doc/src/sgml/seg.sgml

@@ -14,6 +14,12 @@
   making it especially useful for representing laboratory measurements.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Rationale</title>
 

doc/src/sgml/tablefunc.sgml

@@ -14,6 +14,12 @@
   multiple rows.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Functions Provided</title>
 

doc/src/sgml/tcn.sgml

@@ -17,6 +17,12 @@
   used as an <literal>AFTER</literal> trigger <literal>FOR EACH ROW</literal>.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <para>
   Only one parameter may be supplied to the function in a
   <literal>CREATE TRIGGER</literal> statement, and that is optional.  If supplied

doc/src/sgml/tsm-system-rows.sgml

@@ -33,6 +33,12 @@
   the <literal>REPEATABLE</literal> clause.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Examples</title>
 

doc/src/sgml/tsm-system-time.sgml

@@ -35,6 +35,12 @@
   the <literal>REPEATABLE</literal> clause.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Examples</title>
 

doc/src/sgml/unaccent.sgml

@@ -21,6 +21,12 @@
   normalizing dictionary for the <filename>thesaurus</filename> dictionary.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title>Configuration</title>
 

doc/src/sgml/uuid-ossp.sgml

@@ -16,6 +16,12 @@
   linkend="functions-uuid"/> for built-in ways to generate UUIDs.
  </para>
 
+ <para>
+  This module is considered <quote>trusted</quote>, that is, it can be
+  installed by non-superusers who have <literal>CREATE</literal> privilege
+  on the current database.
+ </para>
+
  <sect2>
   <title><literal>uuid-ossp</literal> Functions</title>