Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qfsll-00DUpA-Fa for pgsql-novice@arkaria.postgresql.org; Tue, 12 Sep 2023 02:04:49 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qfsli-004HDF-V2 for pgsql-novice@arkaria.postgresql.org; Tue, 12 Sep 2023 02:04:46 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qfsli-004HCj-Lj for pgsql-novice@lists.postgresql.org; Tue, 12 Sep 2023 02:04:46 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qfsle-004411-AC for pgsql-novice@lists.postgresql.org; Tue, 12 Sep 2023 02:04:45 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 38C24fxj2712775; Mon, 11 Sep 2023 22:04:41 -0400 From: Tom Lane To: ivanov17@riseup.net cc: pgsql-novice@lists.postgresql.org Subject: Re: Grant CREATE privilege on all schemas In-reply-to: References: Comments: In-reply-to ivanov17@riseup.net message dated "Tue, 12 Sep 2023 01:05:30 -0000" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <2712773.1694484281.1@sss.pgh.pa.us> Date: Mon, 11 Sep 2023 22:04:41 -0400 Message-ID: <2712774.1694484281@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk ivanov17@riseup.net writes: > Is there a way to grant roles CREATE > privileges on all schemas? This is not supported, and it's not likely to ever become supported in exactly the way you phrased it, because that would presumably include CREATE on the pg_catalog schema. If you give somebody that, you might as well just skip the fooling around and give them full superuser, because they could hack their way to that in less time than it's taking me to type this email. In general, you want to be pretty darn chary about giving out permissions on schemas that are likely to be in other users' search_path, for much the same reasons that you don't give random users write permission on /usr/bin/. regards, tom lane