Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tPohR-00FWsd-6m
	for pgsql-general@arkaria.postgresql.org; Mon, 23 Dec 2024 20:06:45 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tPohQ-00FQYy-Fm
	for pgsql-general@arkaria.postgresql.org; Mon, 23 Dec 2024 20:06:44 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1tPohP-00FQYq-Mw
	for pgsql-general@lists.postgresql.org; Mon, 23 Dec 2024 20:06:43 +0000
Received: from fout-b8-smtp.messagingengine.com ([202.12.124.151])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1tPohN-000EPC-2L
	for pgsql-general@postgresql.org;
	Mon, 23 Dec 2024 20:06:42 +0000
Received: from phl-compute-06.internal (phl-compute-06.phl.internal [10.202.2.46])
	by mailfout.stl.internal (Postfix) with ESMTP id 295131140183;
	Mon, 23 Dec 2024 15:06:40 -0500 (EST)
Received: from phl-mailfrontend-02 ([10.202.2.163])
  by phl-compute-06.internal (MEProxy); Mon, 23 Dec 2024 15:06:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h=
	cc:content-transfer-encoding:content-type:content-type:date:date
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm1; t=1734984400;
	 x=1735070800; bh=Wn8lxzEOS0H6+10r75+bCXOQr4r7596kBn3nl3Ir+9M=; b=
	RwvCguoH3G5qgOO3NHd1Er6cDFYnoy5S5zmFchnVZvjzOJpjnR6uOlfU2NZfJGy4
	JcHPuXEnGpVapoHui7/GHcup+tWV44ngZqmPfGIQr3E2s96Yo2QvYPJ/LtCn1eBz
	jXFd++0h+J4Y3j0tcHTl73iTqZEn328ynLALGMiWExoCOCbyUVBvngCAkpELDMzu
	MbMrEIXIH1cThFjo+SsBI5myjwNDLe8yZud2WW9RcNEa2A3J608sJS1szPN1u7BN
	gHIo34GD7ebkwf0gew/bEN39f7jD+iNJdECfMnWX8Kn2vPN6mPDNMnTMUYuSkQvY
	/l9zEaKXT0TIulrRMg+kvA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm2; t=1734984400; x=1735070800; bh=W
	n8lxzEOS0H6+10r75+bCXOQr4r7596kBn3nl3Ir+9M=; b=ckwaGI5OVa6B9s8Gs
	QSh509D+Zi8w6IsQa7IhHj5oV2U+jgP5maxJpN6i4HxleW+K5z3nTNXAM300G1+v
	rFT98+0+4FV+06YvxgApjM8qujWp99EfHt99BK+d0bb5D3Ek00hR15pkmzBHaiGg
	sxVUud6neJn0QFjKs258RCfYr0T9A32uu5TBnjXLv0sTbWtVrVu5m7i1Dvgu/hcq
	7GR0migqkzscrutDSgK11MdQo90MtVgQkNkMpoxm4FIxvN4s75L27A0pzLDjq55s
	bHgB2aFg6AtNHok8qwA+Jq7TBDnk7ga33dwWCJawG125BSOJkIZE/o+r6JwodCa3
	LCkyg==
X-ME-Sender: <xms:z8JpZzMgQwiYBXl8U5rbFz5St6L65PL1ACJLiemddWlVlRaj2rFH8w>
    <xme:z8JpZ9-jfAR8WKM3e2tQv_DtQEZ0ht5qP4nS8m_mxC1ZOjE9TrLrfpr3bxP7UmB9_
    kFL8Hu5EPX_aqg>
X-ME-Received: <xmr:z8JpZyR4QE-kC3gTH_boldXfxWqy3HK5VYG-vzdouFEYSO-Knj6zp3xs-ReTuHYwqBtEpfrg9hFs2TMUBauMHvbkr0_BMw4fP7niraWry-w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrudduvddgieelucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
    rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh
    htshculddquddttddmnecujfgurhepkfffgggfuffvfhfhjggtgfesthekredttddvjeen
    ucfhrhhomheptegurhhirghnucfmlhgrvhgvrhcuoegrughrihgrnhdrkhhlrghvvghrse
    grkhhlrghvvghrrdgtohhmqeenucggtffrrghtthgvrhhnpeelgeevkeekkeeuiefgtdev
    ieeluefhfedufeetkeejffekjeeujeehgeehgeektdenucffohhmrghinhepphhoshhtgh
    hrvghsqhhlrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghi
    lhhfrhhomheprggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomhdpnhgspg
    hrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepvghsthgvvghm
    sghsvhdqfhhorhhumheshigrhhhoohdrtghomhdprhgtphhtthhopehpghhsqhhlqdhgvg
    hnvghrrghlsehpohhsthhgrhgvshhqlhdrohhrgh
X-ME-Proxy: <xmx:z8JpZ3vrduivFRJnqB-9-wHCr-FvSjcJmHxbwIMAXf-4x62PgTZaOg>
    <xmx:z8JpZ7eJ2s3gx4bJvYFVKICSute9kpTOyMw9bY0dNCFAoxGwaGTVYA>
    <xmx:z8JpZz2pYSW8J_6v_gVSoNaRmOWqzCNchLPRcbFMtm5LxG2Jh-U8XA>
    <xmx:z8JpZ39uewXXlwOyaXCXVnzj2-bt0onVA8sGcfkUjHr0K8Dy57Lr8w>
    <xmx:z8JpZ8p28pGox0v4vaF3XX7ZyhP0DueCdOhegufJ-JbfNr25bqNAIGh_>
Feedback-ID: i76984098:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 23 Dec 2024 15:06:38 -0500 (EST)
Message-ID: <70e957e6-1067-4849-82a4-01cc2a9aa8cd@aklaver.com>
Date: Mon, 23 Dec 2024 12:06:37 -0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Ver 15.X and restriction for schema=public
To: Bharani SV-forum <esteembsv-forum@yahoo.com>,
 pgsql-general <pgsql-general@postgresql.org>
References: <0558ddd4d71641bdb41fa49b2425f73c@safrangroup.com>
 <1061066336.5835157.1733316137292@mail.yahoo.com>
 <a779ef21-f04d-4a51-83d3-51632b0fb3fa@aklaver.com>
 <1918413683.2239751.1733944364448@mail.yahoo.com>
 <037a8338-3434-47d4-aaad-ef186d4d3250@aklaver.com>
 <101139100.4053671.1734383960480@mail.yahoo.com>
 <dece41b2-44bd-4b0c-9b3e-57b0adfaf1bb@aklaver.com>
 <1875422740.4095620.1734388259706@mail.yahoo.com>
 <aa16f097-fadd-439c-a58e-e2229d92bc5b@aklaver.com>
 <1528119631.4096246.1734390318281@mail.yahoo.com>
 <2033286177.1733661.1734651404850@mail.yahoo.com>
 <8833d8c7-3713-4d6f-9eab-35270e769564@aklaver.com>
 <1392047062.5689697.1734710997053@mail.yahoo.com>
 <adc3d09b-440c-48c7-9d72-0f247f27feff@aklaver.com>
 <783439164.5695290.1734713539262@mail.yahoo.com>
 <928427177.4710979.1734722745840@mail.yahoo.com>
 <f37731a5-80bf-45d8-b699-587652f34b00@aklaver.com>
 <2036867199.5856152.1734735063013@mail.yahoo.com>
 <1694853482.6517504.1734981981968@mail.yahoo.com>
Content-Language: en-US
From: Adrian Klaver <adrian.klaver@aklaver.com>
In-Reply-To: <1694853482.6517504.1734981981968@mail.yahoo.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/70e957e6-1067-4849-82a4-01cc2a9aa8cd%40aklaver.com>
Precedence: bulk



On 12/23/24 11:26 AM, Bharani SV-forum wrote:
> Team
> I am in the process of upgrading EC2-PGS ver 13.X to 15.X
> I am aware  since ver 14.X, we have restriction in the usage of 
> schema=public and the DBA need to grant exclusive priv for the tagged db 
> user's.

Are you referring to this?:

https://www.postgresql.org/docs/15/release-15.html

"Remove PUBLIC creation permission on the public schema (Noah Misch) §

The new default is one of the secure schema usage patterns that Section 
5.9.6 has recommended since the security release for CVE-2018-1058. The 
change applies to new database clusters and to newly-created databases 
in existing clusters. Upgrading a cluster or restoring a database dump 
will preserve public's existing permissions.

For existing databases, especially those having multiple users, consider 
revoking CREATE permission on the public schema to adopt this new 
default. For new databases having no need to defend against insider 
threats, granting CREATE permission will yield the behavior of prior 
releases.
"


> 
> Assume i want to enforce it,
> Can i retag all the object tables/indexex/packages/procedures/functions 
> etc tagged under schema =public to a newly created schema e.g = 
> *schemaname = allowallusr *and grant respective priv's.
> 
> Whether it will resolve the issue, as application time need time to 
> validated all the use case for testing the objects which is present 
> under schema=public and ported to new schema= allowallusr .
> 
> Any suggestions or best practise

-- 
Adrian Klaver
adrian.klaver@aklaver.com