Search Postgresql Archives

Re: Ver 15.X and restriction for schema=public

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 12/23/24 12:17 PM, Bharani SV-forum wrote:
Adrian
TQ. Exactly , you have provided the needed information

For existing databases, especially those having multiple users,
- I will consider revoking CREATE permission on the public schema to adopt this new default.

You may want to do some testing before you do that. It may very well be that your existing code depends on being able to CREATE objects in the public schema using the public role.


1) Do i need to revoke "SELECT" access on any tables/indexes etc in schema = public ? 2) Do i need to revoke "Execute" access on any procedures/functions  in schema = public ?

Again this is going to need to be tested. I'm betting though that your present code depends on these privileges existing.

Just remember the change was for:

"Remove PUBLIC creation permission on the public schema"

where PUBLIC is a built in role. I would suggest reading:

https://www.postgresql.org/docs/current/ddl-priv.html

for more information on what that means.



I agree with your suggestion - - For new databases having no need to defend against insider threats, granting CREATE permission will yield the behavior of prior releases.

It is not my suggestion, what I quoted comes from the documentation.


Can you pl seed more information with qsn#1 and #2

On Monday, December 23, 2024 at 03:06:56 PM EST, Adrian Klaver <adrian.klaver@xxxxxxxxxxx> wrote:




On 12/23/24 11:26 AM, Bharani SV-forum wrote:
 > Team
 > I am in the process of upgrading EC2-PGS ver 13.X to 15.X
 > I am aware  since ver 14.X, we have restriction in the usage of
 > schema=public and the DBA need to grant exclusive priv for the tagged db
 > user's.

Are you referring to this?:

https://www.postgresql.org/docs/15/release-15.html <https://www.postgresql.org/docs/15/release-15.html>

"Remove PUBLIC creation permission on the public schema (Noah Misch) §

The new default is one of the secure schema usage patterns that Section
5.9.6 has recommended since the security release for CVE-2018-1058. The
change applies to new database clusters and to newly-created databases
in existing clusters. Upgrading a cluster or restoring a database dump
will preserve public's existing permissions.

For existing databases, especially those having multiple users, consider
revoking CREATE permission on the public schema to adopt this new
default. For new databases having no need to defend against insider
threats, granting CREATE permission will yield the behavior of prior
releases.

"


 >
 > Assume i want to enforce it,
 > Can i retag all the object tables/indexex/packages/procedures/functions
 > etc tagged under schema =public to a newly created schema e.g =
 > *schemaname = allowallusr *and grant respective priv's.
 >
 > Whether it will resolve the issue, as application time need time to
 > validated all the use case for testing the objects which is present
 > under schema=public and ported to new schema= allowallusr .
 >
 > Any suggestions or best practise


--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx <mailto:adrian.klaver@xxxxxxxxxxx>




--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux