Package: postgresql-8.4 Version: 8.4.2-2 Severity: important Tags: security
By default, public have USAGE rights to template1, so can always connect
there if allowed by pg_hba.conf. Now the default permissions of the
public schema are CREATE and USAGE for public. This means that everyone
is allowed to create things in the public schema.
| public | postgres | postgres=UC/postgres | standard public schema
| : =UC/postgres
The documentation say:
| Depending on the type of object, the initial default privileges might
| include granting some privileges to PUBLIC. The default is no public
| access for tables, columns, schemas, and tablespaces;
So this differs from the default access to this time. initdb
explicitely sets this default permissions, so this looks intentional.
This means that many people may be able to add things into the default
template.
Bastian
--
One does not thank logic.
-- Sarek, "Journey to Babel", stardate 3842.4
signature.asc
Description: Digital signature
