Greetings,
* Scott Ribe (scott_ribe@elevated-dev.com) wrote:
> > On Dec 11, 2020, at 1:36 PM, Stephen Frost <sfrost@snowman.net> wrote:
> > I'm pretty sure none of this has anything to do with DEFAULT PRIVILEGES
> > as those only actually apply when a new table is created (and not from a
> > template database), and that's just never the case with any PG catalog
> > tables.
>
> So the fact that default privs were set on the system catalogs was inappropriate, but harmless in this case?
Almost certainly.
> > What might be useful to point out is that only a superuser can change
> > the privileges associated with PG catalog tables and that you really
> > should be careful who you grant superuser privileges to.
>
> Yes, that's one thing I took care of earlier this year: change our processes such that we were able to remove
superuserfrom the commonly-used service accounts.
... and hopefully from most every other account. There's really very
little need to have actual superuser rights (something we continue to
work to limit the need of with each release).
Thanks,
Stephen
