GRANT CREATE or ALTER SCHEMA?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

 

When considering our mitigation strategy for the recently-announced CVE-2018-1058, we’ve been trying to choose between:

 

  1. ALTER SCHEMA public OWNER TO <db-owner>
  2. GRANT CREATE ON SCHEMA public TO <db-owner>

 

This is of course after the REVOKE CREATE ON SCHEMA public FROM PUBLIC.

 

We understand why the public schema is owned by the “postgres” account to start with, i.e. because CREATE DATABASE copies from the template1 database.  But this does mean that we need a post-createdb action to allow an application account to use the public schema to create its objects (which is our most typical configuration).

 

Changing the owner of the public schema to the database owner after database creation (i.e. #1 above) seems to be the simplest approach, but we’re wondering if there’s a reason for the public schema to be owned by the postgres account, i.e. beyond just “this is how it happens by default”.  We can’t come up with one, and neither can our Google-fu. :-)

 

Thanks in advance for your insights,

 

Kav Moradhassel | R&D Tools and Metrics | Ciena

kmoradha@xxxxxxxxx | 385 Terry Fox Drive | Ottawa, ON, K2K 0L1  Canada

 


[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux