Re: pgsql: Revoke PUBLIC CREATE from public schema, now owned by pg_databas

Alvaro Herrera <alvherre@alvh.no-ip.org>

From: Alvaro Herrera <alvherre@alvh.no-ip.org>
To: Noah Misch <noah@leadboat.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2022-12-01T11:16:39Z
Lists: pgsql-hackers
On 2022-Dec-01, Noah Misch wrote:

> This is free from the problem found in ddl-create-public-reorg-really.patch.
> However, the word "other" doesn't belong there.  (The per-user schemas should
> not have public CREATE privilege.)  I would also move that same sentence up
> front, like this:
> 
>     Constrain ordinary users to user-private schemas.  To implement this
>     pattern, first ensure that no schemas have public CREATE privileges.
>     Then, for every user needing to create non-temporary objects, create a
>     schema with the same name as that user.  (Recall that the default search
>     path starts with $user, which resolves to the user name. Therefore, if
>     each user has a separate schema, they access their own schemas by
>     default.)  This pattern is a secure schema usage pattern unless an
>     untrusted user is the database owner or holds the CREATEROLE privilege, in
>     which case no secure schema usage pattern exists.

+1 LGTM

-- 
Álvaro Herrera         PostgreSQL Developer  —  https://www.EnterpriseDB.com/



Commits

  1. Doc: word-smith the discussion of secure schema usage patterns.

  2. Fix the public schema's permissions in a separate test script.

  3. Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.