Re: public schema default ACL

Noah Misch <noah@leadboat.com>

From: Noah Misch <noah@leadboat.com>
To: Bruce Momjian <bruce@momjian.us>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, "David G. Johnston" <david.g.johnston@gmail.com>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, Stephen Frost <sfrost@snowman.net>, Alvaro Herrera <alvherre@alvh.no-ip.org>, Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>
Date: 2020-08-07T03:00:20Z
Lists: pgsql-hackers
On Mon, Aug 03, 2020 at 11:22:48AM -0400, Bruce Momjian wrote:
> On Sun, Aug  2, 2020 at 11:30:50PM -0700, Noah Misch wrote:
> > On Fri, Mar 23, 2018 at 07:47:39PM -0700, Noah Misch wrote:
> > > In light of the mixed reception, I am withdrawing this proposal.
> > 
> > I'd like to reopen this.  Reception was mixed, but more in favor than against.
> > Also, variations on the idea trade some problems for others and may be more
> > attractive.  The taxonomy of variations has three important dimensions:
> > 
> > Interaction with dump/restore (including pg_upgrade) options:
> > a. If the schema has a non-default ACL, dump/restore reproduces it.
> >    Otherwise, the new default prevails.
> > b. Dump/restore always reproduces the schema ACL.
> 
> I am worried that someone _slightly_ modifies the ACL permissions on the
> schema, and we reproduce it, and they think they are secure, but they
> are not.  I guess for the public, and change would be to make it more
> secure, so maybe this works, but it seems tricky.

Unless someone advocates for (a), we have dodged that problem, right?



Commits

  1. Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.

  2. Document security implications of search_path and the public schema.