Re: public schema default ACL

On Mon, Nov 2, 2020 at 11:05:15PM -0800, Noah Misch wrote:
> On Mon, Nov 02, 2020 at 12:42:26PM -0500, Tom Lane wrote:
> > Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> > > On Mon, Nov 2, 2020 at 5:51 AM Peter Eisentraut
> > > <peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> > >> I'm not convinced, however, that this would would really move the needle
> > >> in terms of the general security-uneasiness about the public schema and
> > >> search paths. AFAICT, in any of your proposals, the default would still
> > >> be to have the public schema world-writable and in the path.
> >
> > > Noah's proposed change to initdb appears to involve removing CREATE
> > > permission by default, so I don't think this is true.
> >
> > I assume that means removing *public* CREATE permissions, not the
> > owner's (which'd be the DB owner with the proposed changes).
>
> My plan is for the default to become:
>
> GRANT USAGE ON SCHEMA public TO PUBLIC;
> ALTER SCHEMA public OWNER TO DATABASE_OWNER; -- new syntax

Seems it would be better to create a predefined role that owns the
public schema, or at least has create permission for the public schema
--- that way, when you are creating a role, you can decide if the role
should have creation permissions in the public schema, rather than
having people always using the database owner for this purpose.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com

The usefulness of a cup is in its emptiness, Bruce Lee