Tom Lane wrote:
> Alvaro Herrera <alvherre@alvh.no-ip.org> writes:
>
>>Actually, that last grant is implicit. When an ACL is found to be null,
>>it's considered to have a grant to public.
>
>
> No, it's considered to be whatever the default for the object type is.
> Read the GRANT manual page.
I'm obviously missing something. From the GRANT documentation:
Depending on the type of object, the initial default privileges may
include granting some privileges to PUBLIC. The default is no public
access for tables, schemas, and tablespaces; TEMP table creation
privilege for databases; EXECUTE privilege for functions; and USAGE
privilege for languages.
So as I read it, PUBLIC has no access to a schema if not explicitly
granted. However:
pfein@scoober ~ $ createdb -U postgres test
CREATE DATABASE
pfein@scoober ~ $ psql -U testuser test
test=> \dn+
List of schemas
Name | Owner | Access privileges |
Description
--------------------+----------+-------------------------------------+----------------------------------
information_schema | postgres | {postgres=UC/postgres,=U/postgres} |
pg_catalog | postgres | {postgres=UC/postgres,=U/postgres} |
System catalog schema
pg_toast | postgres | |
Reserved schema for TOAST tables
public | postgres | {postgres=UC/postgres,=UC/postgres} |
Standard public schema
(4 rows)
If I read my ACL's correctly, =UC/postgres means full access for PUBLIC.
Why is that happening? Do I need to REVOKE ALL ON SCHEMA public FROM
public in template1? If that's correct, what else should I be revoking on?
