| From: | Dominique Devienne <ddevienne(at)gmail(dot)com> |
|---|---|
| To: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | public schema grants to PUBLIC role |
| Date: | 2023-03-09 09:34:45 |
| Message-ID: | CAFCRh--mT14Hj_FcbbrBVMMD7JoCQi29TKymrNXz2TYh_-53HQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi. I've recently realized via a post (or article?) from Laurenz that the
PUBLIC role has CREATE privilege on the 'public' schema by default (see
query below). I guess it can't be avoided?
OK, then I'll REVOKE that privilege when creating a new DB.
Like I already revoked the default CONNECT to PUBLIC on the DB.
But I'm wondering about unexpected side-effets.
In particular, we need extensions, which are loaded in public by default.
Will USAGE of public be enough for LOGIN users having access to the DB to
use extensions?
More broadly, we want to secure the DB so that all DB access and schema
access are explicit.
Anything else to be aware of please, beside the two mentioned above?
Thanks, --DD
```
=> select grantor::regrole::text, case grantee when 0 then 'PUBLIC' else
grantee::regrole::text end, privilege_type as priv, is_grantable as adm
from pg_namespace, lateral aclexplode(nspacl) where nspname = 'public';
grantor | grantee | priv | adm
----------+----------+--------+-----
postgres | postgres | USAGE | f
postgres | postgres | CREATE | f
postgres | PUBLIC | USAGE | f
postgres | PUBLIC | CREATE | f
(4 rows)
```
| From | Date | Subject | |
|---|---|---|---|
| Next Message | houzj.fnst@fujitsu.com | 2023-03-09 09:58:49 | RE: Support logical replication of DDLs |
| Previous Message | Rosebrock, Uwe (Environment, Hobart) | 2023-03-09 06:07:38 | crosstab |