RE: Removing the default grant of EXECUTE on functions/procedures to PUBLIC

I was checking pg_roles.acl_default to see if my role-level ALTER DEFAULT PRIVILEGES had been effective. But I see the same content both before and after the ALTEr.

You mention that this needs to be done in each database. Is there a database-level version of pg_roles.acl_default that I should be checking instead?

Thanks,
Mike Tefft

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Sent: Friday, July 5, 2024 10:51 AM
To: Tefft, Michael J <Michael(dot)J(dot)Tefft(at)snapon(dot)com>
Cc: pgsql-general(at)lists(dot)postgresql(dot)org
Subject: Re: Removing the default grant of EXECUTE on functions/procedures to PUBLIC

"Tefft, Michael J" <Michael. J. Tefft@ snapon. com> writes: > I am trying to remove the default grant of EXECUTE on all functions/procedures to PUBLIC. >> From my reading, there is no straightforward way to do this. For example,

"Tefft, Michael J" <Michael(dot)J(dot)Tefft(at)snapon(dot)com<mailto:Michael(dot)J(dot)Tefft(at)snapon(dot)com>> writes:

> I am trying to remove the default grant of EXECUTE on all functions/procedures to PUBLIC.

>> From my reading, there is no straightforward way to do this. For example,

> ALTER DEFAULT PRIVILEGES REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;

> Does not apply this across the entire cluster (or database) but only applies to the role who issued it (and objects yet to be created by that role) .

> So I am arriving at the conclusion that I need to alter the default privileges for every existing role (which I expected), and ensure that default privileges are altered for every new role that is created going forward.

> Have I analyzed this correctly?

You'll also need to repeat the ALTERs in each database of your

installation.

regards, tom lane