Skip site navigation (1) Skip section navigation (2)

BUG #1113: Default template databases grant CREATE to PUBLIC

From: "PostgreSQL Bugs List" <pgsql-bugs(at)postgresql(dot)org>
To: pgsql-bugs(at)postgresql(dot)org
Subject: BUG #1113: Default template databases grant CREATE to PUBLIC
Date: 2004-03-24 15:40:33
Message-ID: 20040324154033.8AE4CCF50CE@www.postgresql.com (view raw or flat)
Thread:
Lists: pgsql-bugs
The following bug has been logged online:

Bug reference:      1113
Logged by:          Oliver Elphick

Email address:      postgresql(at)packages(dot)debian(dot)org

PostgreSQL version: 7.4

Operating system:   Debian Linux

Description:        Default template databases grant CREATE to PUBLIC

Details: 

The default database created by initdb (in template0 and template1) grants 
CREATE permission on the public schema to PUBLIC.  Therefore any user is 
able to create a table or function, including a function that can bring down 
the machine by (for example) recursively calling itself.  By default, any 
user can create objects in template1, as well. 

The default should be for CREATE permissions on the public schema to be 
revoked from PUBLICc. 

This might break old applications which have not been updated to take 
account of schemas; the workaround for them would be to grant permissions in 
template1.public as appropriate. 

Debian bug ref: #239811


Responses

pgsql-bugs by date

Next:From: PostgreSQL Bugs ListDate: 2004-03-24 15:47:35
Subject: BUG #1114: REVOKE done by non-privileged user claims success
Previous:From: CoLDate: 2004-03-24 12:39:19
Subject: Re: BUG #1112: round(float-type does not work)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group