Re: public schema default ACL
Noah Misch <noah@leadboat.com>
From: Noah Misch <noah@leadboat.com>
To: Bruce Momjian <bruce@momjian.us>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, "David G. Johnston" <david.g.johnston@gmail.com>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, Stephen Frost <sfrost@snowman.net>, Alvaro Herrera <alvherre@alvh.no-ip.org>, Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>
Date: 2020-08-07T03:00:20Z
Lists: pgsql-hackers
On Mon, Aug 03, 2020 at 11:22:48AM -0400, Bruce Momjian wrote: > On Sun, Aug 2, 2020 at 11:30:50PM -0700, Noah Misch wrote: > > On Fri, Mar 23, 2018 at 07:47:39PM -0700, Noah Misch wrote: > > > In light of the mixed reception, I am withdrawing this proposal. > > > > I'd like to reopen this. Reception was mixed, but more in favor than against. > > Also, variations on the idea trade some problems for others and may be more > > attractive. The taxonomy of variations has three important dimensions: > > > > Interaction with dump/restore (including pg_upgrade) options: > > a. If the schema has a non-default ACL, dump/restore reproduces it. > > Otherwise, the new default prevails. > > b. Dump/restore always reproduces the schema ACL. > > I am worried that someone _slightly_ modifies the ACL permissions on the > schema, and we reproduce it, and they think they are secure, but they > are not. I guess for the public, and change would be to make it more > secure, so maybe this works, but it seems tricky. Unless someone advocates for (a), we have dodged that problem, right?
Commits
-
Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.
- b073c3ccd06e 15.0 landed
-
Document security implications of search_path and the public schema.
- 5770172cb0c9 11.0 cited