"David Johnston" <polobo@yahoo.com> writes:
> After creating and logging into a new database run this script. The
> initial ALTER DEFAULT PRIVILEGES should make all users unable to execute
> functions unless given explicit permissions elsewhere.
You haven't read the fine manual very closely. It saith
Default privileges that are specified per-schema are added to
whatever the global default privileges are for the particular
object type.
and
As explained under GRANT, the default privileges for any object
type normally grant all grantable permissions to the object
owner, and may grant some privileges to PUBLIC as well. However,
this behavior can be changed by altering the global default
privileges with ALTER DEFAULT PRIVILEGES.
If you want to revoke the default execute privileges for functions, you
have to do it globally, ie, not per-schema. There's no way to reduce
the default privileges at the per-schema level.
regards, tom lane
