Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tPpBh-00FasP-8R for pgsql-general@arkaria.postgresql.org; Mon, 23 Dec 2024 20:38:01 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tPpBg-00FpJm-Hy for pgsql-general@arkaria.postgresql.org; Mon, 23 Dec 2024 20:38:00 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tPp8V-00FjMa-BA for pgsql-general@lists.postgresql.org; Mon, 23 Dec 2024 20:34:43 +0000 Received: from fhigh-b8-smtp.messagingengine.com ([202.12.124.159]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tPp8Q-001HOS-RE for pgsql-general@postgresql.org; Mon, 23 Dec 2024 20:34:42 +0000 Received: from phl-compute-11.internal (phl-compute-11.phl.internal [10.202.2.51]) by mailfhigh.stl.internal (Postfix) with ESMTP id EAA5B25401E6; Mon, 23 Dec 2024 15:34:36 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-11.internal (MEProxy); Mon, 23 Dec 2024 15:34:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1734986076; x=1735072476; bh=AEs3rHATH6FVVosze7zqAF0BSXOZ/Z6xtWK/oFkIlUA=; b= w0zzLX5HL1Q6cEFyDacOPYn0VHSwUbQmiLuL8hN8HirB9Z5jub450wou6PeqHRxk fnkNKAM4pMExvxBrDkKP8JnFQEU2FlzIydFQAEDe3KKGu0XlcypxP9JpgWzF8tsB YjzpXOaryyc2SfP1r+UuZaMHwZ2mNnjC/lIjBprfrG/fN3iY/72vqXXAsUyUVwsv mQC5MGNkrXXX3qnX9DP82kUs8CmvaRkGJf++Sfs+oRroCgSUs54ZA4XFsYkcCw9D TuFQtQgzFf1daqgny71ZgZgt+hS/BgxShvha7unzm2ZMCxthdCBUORFThQWbc/C/ L53zbuP2nKczgvi2wjyv3w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; t=1734986076; x=1735072476; bh=A Es3rHATH6FVVosze7zqAF0BSXOZ/Z6xtWK/oFkIlUA=; b=EFpp9MQQBna2kvXhp RbFftpwSFRyAZMoIQNdCUUeBFZiM5PJbIZqsEClhO0uz+iiviZnJAr6TfhVuhuVD +MTEktVAKoPJY29e8TbcEAuPXJxukjmLLofSWghGZNUi7+XwrSI8cUcSFAzrjZzR I9ZSVhHhltgJwdb/6cEiVuI0zCxg/84zjtLept8Ir/FOvx6K0qD+GEE/B67Yh9Xm JoGo9OkqNQ1VoW7Q/eE0ZrUaZfuQOhewMESM4K/uvDP7NGOv7S4zAs9CX2RZAbtY RaDjhZWYGc8XBfoQGRzlF2L3zyWkrODbd+Co44Rqoa3HnBQJ6j6j+f1PFvwNBlrV IKM4Q== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrudduvddgjeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhepkfffgggfuffvfhfhjggtgfesthekredttddvjeen ucfhrhhomheptegurhhirghnucfmlhgrvhgvrhcuoegrughrihgrnhdrkhhlrghvvghrse grkhhlrghvvghrrdgtohhmqeenucggtffrrghtthgvrhhnpeelgeevkeekkeeuiefgtdev ieeluefhfedufeetkeejffekjeeujeehgeehgeektdenucffohhmrghinhepphhoshhtgh hrvghsqhhlrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghi lhhfrhhomheprggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomhdpnhgspg hrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepvghsthgvvghm sghsvhdqfhhorhhumheshigrhhhoohdrtghomhdprhgtphhtthhopehpghhsqhhlqdhgvg hnvghrrghlsehpohhsthhgrhgvshhqlhdrohhrgh X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 23 Dec 2024 15:34:35 -0500 (EST) Message-ID: <058e9aa1-60e8-44db-9a27-003a1c27cb5e@aklaver.com> Date: Mon, 23 Dec 2024 12:34:34 -0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Ver 15.X and restriction for schema=public To: Bharani SV-forum , pgsql-general References: <0558ddd4d71641bdb41fa49b2425f73c@safrangroup.com> <1918413683.2239751.1733944364448@mail.yahoo.com> <037a8338-3434-47d4-aaad-ef186d4d3250@aklaver.com> <101139100.4053671.1734383960480@mail.yahoo.com> <1875422740.4095620.1734388259706@mail.yahoo.com> <1528119631.4096246.1734390318281@mail.yahoo.com> <2033286177.1733661.1734651404850@mail.yahoo.com> <8833d8c7-3713-4d6f-9eab-35270e769564@aklaver.com> <1392047062.5689697.1734710997053@mail.yahoo.com> <783439164.5695290.1734713539262@mail.yahoo.com> <928427177.4710979.1734722745840@mail.yahoo.com> <2036867199.5856152.1734735063013@mail.yahoo.com> <1694853482.6517504.1734981981968@mail.yahoo.com> <70e957e6-1067-4849-82a4-01cc2a9aa8cd@aklaver.com> <650461436.6531774.1734985037118@mail.yahoo.com> Content-Language: en-US From: Adrian Klaver In-Reply-To: <650461436.6531774.1734985037118@mail.yahoo.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 12/23/24 12:17 PM, Bharani SV-forum wrote: > Adrian > TQ. Exactly , you have provided the needed information > > For existing databases, especially those having multiple users, > - I will consider revoking CREATE permission on the public schema to > adopt this new default. You may want to do some testing before you do that. It may very well be that your existing code depends on being able to CREATE objects in the public schema using the public role. > > 1) Do i need to revoke "SELECT" access on any tables/indexes etc in > schema = public ? > 2) Do i need to revoke "Execute" access on any procedures/functions  in > schema = public ? Again this is going to need to be tested. I'm betting though that your present code depends on these privileges existing. Just remember the change was for: "Remove PUBLIC creation permission on the public schema" where PUBLIC is a built in role. I would suggest reading: https://www.postgresql.org/docs/current/ddl-priv.html for more information on what that means. > > > I agree with your suggestion - - For new databases having no need to > defend against insider threats, granting CREATE permission will yield > the behavior of prior releases. It is not my suggestion, what I quoted comes from the documentation. > > Can you pl seed more information with qsn#1 and #2 > > On Monday, December 23, 2024 at 03:06:56 PM EST, Adrian Klaver > wrote: > > > > > On 12/23/24 11:26 AM, Bharani SV-forum wrote: > > Team > > I am in the process of upgrading EC2-PGS ver 13.X to 15.X > > I am aware  since ver 14.X, we have restriction in the usage of > > schema=public and the DBA need to grant exclusive priv for the tagged db > > user's. > > Are you referring to this?: > > https://www.postgresql.org/docs/15/release-15.html > > > "Remove PUBLIC creation permission on the public schema (Noah Misch) § > > The new default is one of the secure schema usage patterns that Section > 5.9.6 has recommended since the security release for CVE-2018-1058. The > change applies to new database clusters and to newly-created databases > in existing clusters. Upgrading a cluster or restoring a database dump > will preserve public's existing permissions. > > For existing databases, especially those having multiple users, consider > revoking CREATE permission on the public schema to adopt this new > default. For new databases having no need to defend against insider > threats, granting CREATE permission will yield the behavior of prior > releases. > > " > > > > > > Assume i want to enforce it, > > Can i retag all the object tables/indexex/packages/procedures/functions > > etc tagged under schema =public to a newly created schema e.g = > > *schemaname = allowallusr *and grant respective priv's. > > > > Whether it will resolve the issue, as application time need time to > > validated all the use case for testing the objects which is present > > under schema=public and ported to new schema= allowallusr . > > > > Any suggestions or best practise > > > -- > Adrian Klaver > adrian.klaver@aklaver.com > > > -- Adrian Klaver adrian.klaver@aklaver.com