Patricia Hu wrote:
> Since it could potentially be a security loop hole. So far the action taken to address it falls into
> these two categories:
>
> drop the PUBLIC schema altogether. One of the concerns is with some of the system objects that
> have been exposed through PUBLIC schema previously, now they will need other explicit grants to be
> accessible to users. e.g pg_stat_statements.
> keep the PUBLIC schema but revoke all privileges to it from public role, then grant as necessity
> comes up.
>
> Any feedback and lessons from those who have implemented this?
I'd prefer the second approach as it is less invasive and prevents
undesirable objects in schema "public" just as well.
> Confidentiality Notice:: This email, including attachments, may include non-public, proprietary,
> confidential or legally privileged information. If you are not an intended recipient or an authorized
> agent of an intended recipient, you are hereby notified that any dissemination, distribution or
> copying of the information contained in or transmitted with this e-mail is unauthorized and strictly
> prohibited.
You are hereby notified that any dissemination, distribution or copying of the information
contained in or transmitted with your e-mail is hunky-dory.
Yours,
Laurenz Albe