Re: PG16.1 security breach?

On Mon, Jun 10, 2024 at 2:21 AM Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>
wrote:

> > How is it that the default privilege granted to public doesn’t seem to
> care who the object creator
> > is yet when revoking the grant one supposedly can only do so within the
> scope of a single role?
>
> I don't understand what you wrote. ALTER DEFAULT PRIVILEGES also only
> applies to objects
> created by a single role when you grant default privileges.
>
>
I think my point is that a paragraph like the following may be a useful
addition:

If one wishes to remove the default privilege granted to public to execute
all newly created procedures it is necessary to revoke that privilege for
every superuser in the system as well as any roles that directly have
create permission on a schema and also those that inherit a create
permission on a schema. Lastly, any new roles created in the future with
direct or indirect create permission on a schema must also be altered. In
other words, the first time a role creates a routine the default privileges
involved with that creation will including granting execute to public,
unless said default privileges have already been revoked.

Maybe generalized to any of the default privileges. I find the existing
wording to gloss over the fact that one cannot just decide up front they
want to not allow these default privileges to public once on a system-wide
basis but must continually maintain the default privileges as new roles are
added that are allowed to create different objects, directly or otherwise.

David J.