BUG #1497: Default permissions allow any user to create objects in any database

The following bug has been logged online:

Bug reference: 1497
Logged by: Barry Brown
Email address: barry(at)cs(dot)sierracollege(dot)edu
PostgreSQL version: 8.0.1
Operating system: RHEL 3.0
Description: Default permissions allow any user to create objects in
any database
Details:

The docs say that initially only the owner of a database may use the objects
created in it. But I have found that ANY user can work with any object by
default, even in the template1 database.

To reproduce the bug, I will create a user called 'sqltest' with password
'foobar', connect to template1 as that user, and create a table.

First, create the user:
[root(at)cs data]# su - postgres
-bash-2.05b$ psql template1
Welcome to psql 8.0.1, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\g or terminate with semicolon to execute query
\q to quit

template1=# create user sqltest password 'foobar';
CREATE USER

Next, connect as that user to template1:
[barry(at)cs barry]$ psql -U sqltest template1
Password:
Welcome to psql 8.0.1, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit

template1=>

Finally, create a table:
template1=> create table foo (
template1(> id_num int
template1(> );
CREATE TABLE
template1=> \dt foo
List of relations
Schema | Name | Type | Owner
--------+------+-------+---------
public | foo | table | sqltest
(1 row)

I should not be able to do this.

I compiled PostgreSQL from the FC3 SRPM found on rpmfind.net. I had to
disable SSL, KRB, and Selftest in the spec file to make it compile.