Re: pgsql: Revoke PUBLIC CREATE from public schema, now owned by pg_databas
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Noah Misch <noah@leadboat.com>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2022-11-29T19:22:59Z
Lists: pgsql-hackers
Attachments
- ddl-create-public-reorg.patch (application/octet-stream)
On Fri, Sep 10, 2021 at 2:39 AM Noah Misch <noah@leadboat.com> wrote: > Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner. > > This switches the default ACL to what the documentation has recommended > since CVE-2018-1058. Upgrades will carry forward any old ownership and > ACL. Sites that declined the 2018 recommendation should take a fresh > look. Recipes for commissioning a new database cluster from scratch may > need to create a schema, grant more privileges, etc. Out-of-tree test > suites may require such updates. I was looking at the changes that this commit made to ddl.sgml today and I feel that it's not quite ideal. Under "Constrain ordinary users to user-private schemas" it first says "To implement this, first issue <literal>REVOKE CREATE ON SCHEMA public FROM PUBLIC</literal>" and then later says, oh but wait, you actually don't need to do that unless you're upgrading. That seems a bit backwards to me: I think we should talk about the current state of play first, and then add the notes about upgrading afterwards. Here's a proposed patch to do that. -- Robert Haas EDB: http://www.enterprisedb.com
Commits
-
Doc: word-smith the discussion of secure schema usage patterns.
- ef2d7c6f0ba9 16.0 landed
- afa4a4f764cc 15.2 landed
-
Fix the public schema's permissions in a separate test script.
- 944dc45d1b63 15.0 landed
-
Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.
- b073c3ccd06e 15.0 cited