Commit 5770172 ("Document security implications of search_path and the public
schema.") is largely a workaround for the fact that the boot_val of
search_path contains "public" while template0 gets "GRANT CREATE, USAGE ON
SCHEMA public TO PUBLIC". It's like having world-writable /usr/bin. The
security team opted not to change that in released branches, but we thought to
revisit it later. I propose, for v11, switching to "GRANT USAGE ON SCHEMA
public TO PUBLIC" (omit CREATE). Concerns? An alternative is to change the
default search_path to "$user"; that would be break more applications, and I
don't see an advantage to compensate for that.
If we do that alone, databases reaching v11 via dump/reload or pg_upgrade will
get the new default ACL if they had not changed the ACL of schema public. If
they had GRANTed or REVOKEd on schema public, pg_dump will recreate the
resulting ACL. This is the standard pg_dump behavior for ACLs on system
objects. I think that's okay for the public schema, too, and I like
preserving that usual rule. However, if we wanted to minimize upgrade-time
surprises, we could make pg_dump include GRANT for schema public
unconditionally. That way, the default ACL change would apply to new
databases only. Does anyone want to argue for that?
Thanks,
nm