On Sat, Mar 3, 2018 at 4:56 AM, Noah Misch <n...@leadboat.com> wrote: > Commit 5770172 ("Document security implications of search_path and the public > schema.") is largely a workaround for the fact that the boot_val of > search_path contains "public" while template0 gets "GRANT CREATE, USAGE ON > SCHEMA public TO PUBLIC". It's like having world-writable /usr/bin. The > security team opted not to change that in released branches, but we thought to > revisit it later. I propose, for v11, switching to "GRANT USAGE ON SCHEMA > public TO PUBLIC" (omit CREATE). Concerns? An alternative is to change the > default search_path to "$user"; that would be break more applications, and I > don't see an advantage to compensate for that.
Isn't this going to cause widespread breakage? Unprivileged users will suddenly find that they can no longer create tables, because $user doesn't exist and they don't have permission on public. That seems quite unfriendly. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company