Re: public schema default ACL

Peter Eisentraut <peter.eisentraut@2ndquadrant.com>

From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Noah Misch <noah@leadboat.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Cc: Stephen Frost <sfrost@snowman.net>, Magnus Hagander <magnus@hagander.net>, "David G. Johnston" <david.g.johnston@gmail.com>, Alvaro Herrera <alvherre@alvh.no-ip.org>, Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>
Date: 2020-11-02T10:51:28Z
Lists: pgsql-hackers
On 2020-10-31 17:35, Noah Misch wrote:
> Overall, that's 3.2 votes for (b)(3)(X) and 0.0 to 1.0 votes for changing
> nothing.  That suffices to proceed with (b)(3)(X).  However, given the few
> votes and the conspicuous non-responses, work in this area has a high risk of
> failure.  Hence, I will place it at a low-priority position in my queue.

My vote would also be (b)(3)(X).  Allowing the database owner to manage 
the public schema within their database makes a lot of sense, 
independent of any overarching goals.

I'm not convinced, however, that this would would really move the needle 
in terms of the general security-uneasiness about the public schema and 
search paths.  AFAICT, in any of your proposals, the default would still 
be to have the public schema world-writable and in the path.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



Commits

  1. Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.

  2. Document security implications of search_path and the public schema.