public schema grants to PUBLIC role - Mailing list pgsql-general

From Dominique Devienne
Subject public schema grants to PUBLIC role
Date
Msg-id CAFCRh--mT14Hj_FcbbrBVMMD7JoCQi29TKymrNXz2TYh_-53HQ@mail.gmail.com
Whole thread Raw
Responses Re: public schema grants to PUBLIC role
Re: public schema grants to PUBLIC role
List pgsql-general
Hi. I've recently realized via a post (or article?) from Laurenz that the PUBLIC role has CREATE privilege on the 'public' schema by default (see query below). I guess it can't be avoided?

OK, then I'll REVOKE that privilege when creating a new DB.
Like I already revoked the default CONNECT to PUBLIC on the DB.

But I'm wondering about unexpected side-effets.
In particular, we need extensions, which are loaded in public by default.
Will USAGE of public be enough for LOGIN users having access to the DB to use extensions?

More broadly, we want to secure the DB so that all DB access and schema access are explicit.
Anything else to be aware of please, beside the two mentioned above?

Thanks, --DD 

```
=> select grantor::regrole::text, case grantee when 0 then 'PUBLIC' else grantee::regrole::text end, privilege_type as priv, is_grantable as adm from pg_namespace, lateral aclexplode(nspacl) where nspname = 'public';
 grantor  | grantee  |  priv  | adm
----------+----------+--------+-----
 postgres | postgres | USAGE  | f
 postgres | postgres | CREATE | f
 postgres | PUBLIC   | USAGE  | f
 postgres | PUBLIC   | CREATE | f
(4 rows)
```

pgsql-general by date:

Previous
From: "Rosebrock, Uwe (Environment, Hobart)"
Date:
Subject: crosstab
Next
From: Christoph Moench-Tegeder
Date:
Subject: Re: public schema grants to PUBLIC role