Re: pgsql: Revoke PUBLIC CREATE from public schema, now owned by pg_databas
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Alvaro Herrera <alvherre@alvh.no-ip.org>
Cc: Noah Misch <noah@leadboat.com>, Robert Haas <robertmhaas@gmail.com>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2022-12-01T14:24:43Z
Lists: pgsql-hackers
Alvaro Herrera <alvherre@alvh.no-ip.org> writes: > On 2022-Dec-01, Noah Misch wrote: >> This is free from the problem found in ddl-create-public-reorg-really.patch. >> However, the word "other" doesn't belong there. (The per-user schemas should >> not have public CREATE privilege.) I would also move that same sentence up >> front, like this: >> >> Constrain ordinary users to user-private schemas. To implement this >> pattern, first ensure that no schemas have public CREATE privileges. >> Then, for every user needing to create non-temporary objects, create a >> schema with the same name as that user. (Recall that the default search >> path starts with $user, which resolves to the user name. Therefore, if >> each user has a separate schema, they access their own schemas by >> default.) This pattern is a secure schema usage pattern unless an >> untrusted user is the database owner or holds the CREATEROLE privilege, in >> which case no secure schema usage pattern exists. > +1 LGTM Sounds good. I'll make it so in a bit. regards, tom lane
Commits
-
Doc: word-smith the discussion of secure schema usage patterns.
- ef2d7c6f0ba9 16.0 landed
- afa4a4f764cc 15.2 landed
-
Fix the public schema's permissions in a separate test script.
- 944dc45d1b63 15.0 landed
-
Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.
- b073c3ccd06e 15.0 cited