From: | "Tefft, Michael J" <Michael(dot)J(dot)Tefft(at)snapon(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | RE: Removing the default grant of EXECUTE on functions/procedures to PUBLIC |
Date: | 2024-07-05 17:42:35 |
Message-ID: | BN8PR04MB6289DE86BD158D8785B302C5D0DF2@BN8PR04MB6289.namprd04.prod.outlook.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
I was checking pg_roles.acl_default to see if my role-level ALTER DEFAULT PRIVILEGES had been effective. But I see the same content both before and after the ALTEr.
You mention that this needs to be done in each database. Is there a database-level version of pg_roles.acl_default that I should be checking instead?
Thanks,
Mike Tefft
From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Sent: Friday, July 5, 2024 10:51 AM
To: Tefft, Michael J <Michael(dot)J(dot)Tefft(at)snapon(dot)com>
Cc: pgsql-general(at)lists(dot)postgresql(dot)org
Subject: Re: Removing the default grant of EXECUTE on functions/procedures to PUBLIC
"Tefft, Michael J" <Michael. J. Tefft@ snapon. com> writes: > I am trying to remove the default grant of EXECUTE on all functions/procedures to PUBLIC. >> From my reading, there is no straightforward way to do this. For example,
"Tefft, Michael J" <Michael(dot)J(dot)Tefft(at)snapon(dot)com<mailto:Michael(dot)J(dot)Tefft(at)snapon(dot)com>> writes:
> I am trying to remove the default grant of EXECUTE on all functions/procedures to PUBLIC.
>> From my reading, there is no straightforward way to do this. For example,
> ALTER DEFAULT PRIVILEGES REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;
> Does not apply this across the entire cluster (or database) but only applies to the role who issued it (and objects yet to be created by that role) .
> So I am arriving at the conclusion that I need to alter the default privileges for every existing role (which I expected), and ensure that default privileges are altered for every new role that is created going forward.
> Have I analyzed this correctly?
You'll also need to repeat the ALTERs in each database of your
installation.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Dennis White | 2024-07-05 18:12:27 | Can a long running procedure detect when smart shutdown is pending? |
Previous Message | Tomas Pospisek | 2024-07-05 17:07:02 | Re: apt-archive.postgresql.org a bit broken? |