Re: Ver 15.X and restriction for schema=public

On 12/23/24 12:17 PM, Bharani SV-forum wrote:
> Adrian
> TQ. Exactly , you have provided the needed information
>
> For existing databases, especially those having multiple users,
> - I will consider revoking CREATE permission on the public schema to
> adopt this new default.

You may want to do some testing before you do that. It may very well be
that your existing code depends on being able to CREATE objects in the
public schema using the public role.

>
> 1) Do i need to revoke "SELECT" access on any tables/indexes etc in
> schema = public ?
> 2) Do i need to revoke "Execute" access on any procedures/functions  in
> schema = public ?

Again this is going to need to be tested. I'm betting though that your
present code depends on these privileges existing.

Just remember the change was for:

"Remove PUBLIC creation permission on the public schema"

where PUBLIC is a built in role. I would suggest reading:

https://www.postgresql.org/docs/current/ddl-priv.html

for more information on what that means.

>
>
> I agree with your suggestion - - For new databases having no need to
> defend against insider threats, granting CREATE permission will yield
> the behavior of prior releases.

It is not my suggestion, what I quoted comes from the documentation.

>
> Can you pl seed more information with qsn#1 and #2
>
> On Monday, December 23, 2024 at 03:06:56 PM EST, Adrian Klaver
> <adrian(dot)klaver(at)aklaver(dot)com> wrote:
>
>
>
>
> On 12/23/24 11:26 AM, Bharani SV-forum wrote:
> > Team
> > I am in the process of upgrading EC2-PGS ver 13.X to 15.X
> > I am aware  since ver 14.X, we have restriction in the usage of
> > schema=public and the DBA need to grant exclusive priv for the tagged db
> > user's.
>
> Are you referring to this?:
>
> https://www.postgresql.org/docs/15/release-15.html
> <https://www.postgresql.org/docs/15/release-15.html>
>
> "Remove PUBLIC creation permission on the public schema (Noah Misch) §
>
> The new default is one of the secure schema usage patterns that Section
> 5.9.6 has recommended since the security release for CVE-2018-1058. The
> change applies to new database clusters and to newly-created databases
> in existing clusters. Upgrading a cluster or restoring a database dump
> will preserve public's existing permissions.
>
> For existing databases, especially those having multiple users, consider
> revoking CREATE permission on the public schema to adopt this new
> default. For new databases having no need to defend against insider
> threats, granting CREATE permission will yield the behavior of prior
> releases.
>
> "
>
>
> >
> > Assume i want to enforce it,
> > Can i retag all the object tables/indexex/packages/procedures/functions
> > etc tagged under schema =public to a newly created schema e.g =
> > *schemaname = allowallusr *and grant respective priv's.
> >
> > Whether it will resolve the issue, as application time need time to
> > validated all the use case for testing the objects which is present
> > under schema=public and ported to new schema= allowallusr .
> >
> > Any suggestions or best practise
>
>
> --
> Adrian Klaver
> adrian(dot)klaver(at)aklaver(dot)com <mailto:adrian(dot)klaver(at)aklaver(dot)com>
>
>
>

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com