Re: public schema default ACL
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: Noah Misch <noah@leadboat.com>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, "David G. Johnston" <david.g.johnston@gmail.com>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, Stephen Frost <sfrost@snowman.net>, Alvaro Herrera <alvherre@alvh.no-ip.org>, Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>
Date: 2020-08-03T15:22:48Z
Lists: pgsql-hackers
On Sun, Aug 2, 2020 at 11:30:50PM -0700, Noah Misch wrote: > On Fri, Mar 23, 2018 at 07:47:39PM -0700, Noah Misch wrote: > > In light of the mixed reception, I am withdrawing this proposal. > > I'd like to reopen this. Reception was mixed, but more in favor than against. > Also, variations on the idea trade some problems for others and may be more > attractive. The taxonomy of variations has three important dimensions: > > Interaction with dump/restore (including pg_upgrade) options: > a. If the schema has a non-default ACL, dump/restore reproduces it. > Otherwise, the new default prevails. > b. Dump/restore always reproduces the schema ACL. I am worried that someone _slightly_ modifies the ACL permissions on the schema, and we reproduce it, and they think they are secure, but they are not. I guess for the public, and change would be to make it more secure, so maybe this works, but it seems tricky. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
Commits
-
Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.
- b073c3ccd06e 15.0 landed
-
Document security implications of search_path and the public schema.
- 5770172cb0c9 11.0 cited