diff options
| author | Noah Misch | 2021-09-10 06:38:09 +0000 |
|---|---|---|
| committer | Noah Misch | 2021-09-10 06:38:09 +0000 |
| commit | b073c3ccd06e4cb845e121387a43faa8c68a7b62 (patch) | |
| tree | 47e7f43d5ced29aab75de1942f2e905bcba86278 /doc/src/sgml/user-manag.sgml | |
| parent | cba79a163267a44205e391137deb543f4f89bc8b (diff) | |
Revoke PUBLIC CREATE from public schema, now owned by pg_database_owner.
This switches the default ACL to what the documentation has recommended
since CVE-2018-1058. Upgrades will carry forward any old ownership and
ACL. Sites that declined the 2018 recommendation should take a fresh
look. Recipes for commissioning a new database cluster from scratch may
need to create a schema, grant more privileges, etc. Out-of-tree test
suites may require such updates.
Reviewed by Peter Eisentraut.
Discussion: https://postgr.es/m/[email protected]
Diffstat (limited to 'doc/src/sgml/user-manag.sgml')
| -rw-r--r-- | doc/src/sgml/user-manag.sgml | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml index 7b4b2271734..afbf67c28cf 100644 --- a/doc/src/sgml/user-manag.sgml +++ b/doc/src/sgml/user-manag.sgml @@ -597,13 +597,14 @@ DROP ROLE doomed_role; <para> The <literal>pg_database_owner</literal> role has one implicit, - situation-dependent member, namely the owner of the current database. The - role conveys no rights at first. Like any role, it can own objects or - receive grants of access privileges. Consequently, once - <literal>pg_database_owner</literal> has rights within a template database, - each owner of a database instantiated from that template will exercise those - rights. <literal>pg_database_owner</literal> cannot be a member of any - role, and it cannot have non-implicit members. + situation-dependent member, namely the owner of the current database. Like + any role, it can own objects or receive grants of access privileges. + Consequently, once <literal>pg_database_owner</literal> has rights within a + template database, each owner of a database instantiated from that template + will exercise those rights. <literal>pg_database_owner</literal> cannot be + a member of any role, and it cannot have non-implicit members. Initially, + this role owns the <literal>public</literal> schema, so each database owner + governs local use of the schema. </para> <para> @@ -652,8 +653,8 @@ GRANT pg_signal_backend TO admin_user; horse</quote> others with relative ease. The strongest protection is tight control over who can define objects. Where that is infeasible, write queries referring only to objects having trusted owners. Remove - from <varname>search_path</varname> the public schema and any other schemas - that permit untrusted users to create objects. + from <varname>search_path</varname> any schemas that permit untrusted users + to create objects. </para> <para> |