Re: Rationale for PUBLIC having CREATE and USAGE privileges on the schema "public" by default

From: Tim Clarke <tim(dot)clarke(at)manifest(dot)co(dot)uk>
To: <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject: Re: Rationale for PUBLIC having CREATE and USAGE privileges on the schema "public" by default
Date: 2018-02-17 21:37:48
Message-ID: 5a573987-6285-7ed6-b7a2-b38c306dbf0a@manifest.co.uk
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general


On 17/02/18 20:48, Olegs Jeremejevs wrote:
> Okay, in other words, there's no way to completely defend oneself from
> DoS attacks which require having a session? If so, is there a scenario
> where some bad actor can create a new user for themselves (to connect
> to the database with), and not be able to do anything more damaging
> than that? For example, if I can do an SQL injection, then I can do
> something more clever than running a CREATE ROLE. And if not, then
> there's no point in worrying about privileges in a single-tenant
> database? Beyond human error safeguards.
>
> Olegs

How about execution limits, Olegs?

Tim Clarke

In response to

Browse pgsql-general by date

  From Date Subject
Next Message David G. Johnston 2018-02-17 21:49:08 Re: Rationale for PUBLIC having CREATE and USAGE privileges on the schema "public" by default
Previous Message Olegs Jeremejevs 2018-02-17 20:48:14 Re: Rationale for PUBLIC having CREATE and USAGE privileges on the schema "public" by default