Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sPkHG-0068FH-1k
	for pgsql-general@arkaria.postgresql.org; Fri, 05 Jul 2024 14:51:10 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sPkHD-00Agnl-Vq
	for pgsql-general@arkaria.postgresql.org; Fri, 05 Jul 2024 14:51:08 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sPkHD-00Agnc-LZ
	for pgsql-general@lists.postgresql.org; Fri, 05 Jul 2024 14:51:08 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sPkH8-000Y4s-7q
	for pgsql-general@lists.postgresql.org; Fri, 05 Jul 2024 14:51:07 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 465Ep1p6201664;
	Fri, 5 Jul 2024 10:51:01 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "Tefft, Michael J" <Michael.J.Tefft@snapon.com>
cc: "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Subject: Re: Removing the default grant of EXECUTE on functions/procedures to PUBLIC
In-reply-to: <BN8PR04MB6289E694A40BE7DF913754A1D0DF2@BN8PR04MB6289.namprd04.prod.outlook.com>
References: <BN8PR04MB6289E694A40BE7DF913754A1D0DF2@BN8PR04MB6289.namprd04.prod.outlook.com>
Comments: In-reply-to "Tefft, Michael J" <Michael.J.Tefft@snapon.com>
	message dated "Fri, 05 Jul 2024 14:45:11 -0000"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <201662.1720191061.1@sss.pgh.pa.us>
Content-Transfer-Encoding: quoted-printable
Date: Fri, 05 Jul 2024 10:51:01 -0400
Message-ID: <201663.1720191061@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/201663.1720191061%40sss.pgh.pa.us>
Precedence: bulk

"Tefft, Michael J" <Michael.J.Tefft@snapon.com> writes:
> I am trying to remove the default grant of EXECUTE on all functions/proc=
edures to PUBLIC.
>> From my reading, there is no straightforward way to do this. For exampl=
e,
> ALTER DEFAULT PRIVILEGES REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;
> Does not apply this across the entire cluster (or database) but only app=
lies to the role who issued it (and objects yet to be created by that role=
) .
> So I am arriving at the conclusion that I need to alter the default priv=
ileges for every existing role (which I expected), and ensure that default=
 privileges are altered for every new role that is created going forward.

> Have I analyzed this correctly?

You'll also need to repeat the ALTERs in each database of your
installation.

			regards, tom lane