Re: pgsql: Revoke PUBLIC CREATE from public schema, now owned by pg_databas

Robert Haas <robertmhaas@gmail.com>

From: Robert Haas <robertmhaas@gmail.com>
To: Noah Misch <noah@leadboat.com>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2022-11-29T19:22:59Z
Lists: pgsql-hackers

Attachments

On Fri, Sep 10, 2021 at 2:39 AM Noah Misch <noah@leadboat.com> wrote:
> Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.
>
> This switches the default ACL to what the documentation has recommended
> since CVE-2018-1058.  Upgrades will carry forward any old ownership and
> ACL.  Sites that declined the 2018 recommendation should take a fresh
> look.  Recipes for commissioning a new database cluster from scratch may
> need to create a schema, grant more privileges, etc.  Out-of-tree test
> suites may require such updates.

I was looking at the changes that this commit made to ddl.sgml today
and I feel that it's not quite ideal. Under "Constrain ordinary users
to user-private schemas" it first says "To implement this, first issue
<literal>REVOKE CREATE ON SCHEMA public FROM PUBLIC</literal>" and
then later says, oh but wait, you actually don't need to do that
unless you're upgrading. That seems a bit backwards to me: I think we
should talk about the current state of play first, and then add the
notes about upgrading afterwards.

Here's a proposed patch to do that.

-- 
Robert Haas
EDB: http://www.enterprisedb.com

Commits

  1. Doc: word-smith the discussion of secure schema usage patterns.

  2. Fix the public schema's permissions in a separate test script.

  3. Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.