On 12/23/24 12:17 PM, Bharani SV-forum wrote:
Adrian
TQ. Exactly , you have provided the needed information
For existing databases, especially those having multiple users,
- I will consider revoking CREATE permission on the public schema to
adopt this new default.
You may want to do some testing before you do that. It may very well be
that your existing code depends on being able to CREATE objects in the
public schema using the public role.
1) Do i need to revoke "SELECT" access on any tables/indexes etc in
schema = public ?
2) Do i need to revoke "Execute" access on any procedures/functions in
schema = public ?
Again this is going to need to be tested. I'm betting though that your
present code depends on these privileges existing.
Just remember the change was for:
"Remove PUBLIC creation permission on the public schema"
where PUBLIC is a built in role. I would suggest reading:
https://www.postgresql.org/docs/current/ddl-priv.html
for more information on what that means.
I agree with your suggestion - - For new databases having no need to
defend against insider threats, granting CREATE permission will yield
the behavior of prior releases.
It is not my suggestion, what I quoted comes from the documentation.
Can you pl seed more information with qsn#1 and #2
On Monday, December 23, 2024 at 03:06:56 PM EST, Adrian Klaver
<adrian.klaver@xxxxxxxxxxx> wrote:
On 12/23/24 11:26 AM, Bharani SV-forum wrote:
> Team
> I am in the process of upgrading EC2-PGS ver 13.X to 15.X
> I am aware since ver 14.X, we have restriction in the usage of
> schema=public and the DBA need to grant exclusive priv for the tagged db
> user's.
Are you referring to this?:
https://www.postgresql.org/docs/15/release-15.html
<https://www.postgresql.org/docs/15/release-15.html>
"Remove PUBLIC creation permission on the public schema (Noah Misch) §
The new default is one of the secure schema usage patterns that Section
5.9.6 has recommended since the security release for CVE-2018-1058. The
change applies to new database clusters and to newly-created databases
in existing clusters. Upgrading a cluster or restoring a database dump
will preserve public's existing permissions.
For existing databases, especially those having multiple users, consider
revoking CREATE permission on the public schema to adopt this new
default. For new databases having no need to defend against insider
threats, granting CREATE permission will yield the behavior of prior
releases.
"
>
> Assume i want to enforce it,
> Can i retag all the object tables/indexex/packages/procedures/functions
> etc tagged under schema =public to a newly created schema e.g =
> *schemaname = allowallusr *and grant respective priv's.
>
> Whether it will resolve the issue, as application time need time to
> validated all the use case for testing the objects which is present
> under schema=public and ported to new schema= allowallusr .
>
> Any suggestions or best practise
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx <mailto:adrian.klaver@xxxxxxxxxxx>
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx