Re: public schema grants to PUBLIC role

Christoph Moench-Tegeder <cmt@burggraben.net>

From: Christoph Moench-Tegeder <cmt@burggraben.net>
To: Dominique Devienne <ddevienne@gmail.com>
Cc: pgsql-general@lists.postgresql.org
Date: 2023-03-09T11:35:11Z
Lists: pgsql-general
## Dominique Devienne (ddevienne@gmail.com):

> Hi. I've recently realized via a post (or article?) from Laurenz that the
> PUBLIC role has CREATE privilege on the 'public' schema by default (see
> query below). I guess it can't be avoided?

You could just use PostgreSQL 15:
https://www.postgresql.org/docs/15/release-15.html#id-1.11.6.7.4

> In particular, we need extensions, which are loaded in public by default.
> Will USAGE of public be enough for LOGIN users having access to the DB to
> use extensions?

Plus any grants on the extension's object.

> More broadly, we want to secure the DB so that all DB access and schema
> access are explicit.
> Anything else to be aware of please, beside the two mentioned above?

Have a look at default privileges and group roles, that will make your
life much easier.
https://www.postgresql.org/docs/15/ddl-priv.html

Regards,
Christoph

-- 
Spare Space.