@ -3010,56 +3010,57 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
<title>Usage Patterns</title> <title>Usage Patterns</title>
<para> <para>
Schemas can be used to organize your data in many ways. There are a few Schemas can be used to organize your data in many ways.
usage patterns easily supported by the default configuration, only one of A <firstterm>secure schema usage pattern</firstterm> prevents untrusted
which suffices when database users mistrust other database users: users from changing the behavior of other users' queries. When a database
does not use a secure schema usage pattern, users wishing to securely
query that database would take protective action at the beginning of each
session. Specifically, they would begin each session by
setting <varname>search_path</varname> to the empty string or otherwise
removing non-superuser-writable schemas
from <varname>search_path</varname>. There are a few usage patterns
easily supported by the default configuration:
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<!-- "DROP SCHEMA public" is inferior to this REVOKE, because pg_dump <!-- "DROP SCHEMA public" is inferior to this REVOKE, because pg_dump
doesn't preserve that DROP. --> doesn't preserve that DROP.
A database owner can attack the database's users via "CREATE SCHEMA
trojan; ALTER DATABASE $mydb SET search_path = trojan, public;". A
CREATEROLE user can issue "GRANT $dbowner TO $me" and then use the
database owner attack. -->
<para> <para>
Constrain ordinary users to user-private schemas. To implement this, Constrain ordinary users to user-private schemas. To implement this,
issue <literal>REVOKE CREATE ON SCHEMA public FROM PUBLIC</literal>, issue <literal>REVOKE CREATE ON SCHEMA public FROM PUBLIC</literal>,
and create a schema for each user with the same name as that user. If and create a schema for each user with the same name as that user.
affected users had logged in before this, consider auditing the public Recall that the default search path starts
with <literal>$user</literal>, which resolves to the user name.
Therefore, if each user has a separate schema, they access their own
schemas by default. After adopting this pattern in a database where
untrusted users had already logged in, consider auditing the public
schema for objects named like objects in schema for objects named like objects in
schema <literal>pg_catalog</literal>. Recall that the default search schema <literal>pg_catalog</literal>. This pattern is a secure schema
path starts with <literal>$user</literal>, which resolves to the user usage pattern unless an untrusted user is the database owner or holds
name. Therefore, if each user has a separate schema, they access their the <literal>CREATEROLE</literal> privilege, in which case no secure
own schemas by default . schema usage pattern exists .
</para> </para>
</listitem>
<listitem>
<para> <para>
Remove the public schema from each user's default search path
using <literal>ALTER ROLE <replaceable>user</replaceable> SET
search_path = "$user"</literal>. Everyone retains the ability to
create objects in the public schema, but only qualified names will
choose those objects. While qualified table references are fine, calls
to functions in the public schema <link linkend="typeconv-func">will be
unsafe or unreliable</link>. Also, a user holding
the <literal>CREATEROLE</literal> privilege can undo this setting and
issue arbitrary queries under the identity of users relying on the
setting. If you create functions or extensions in the public schema or
grant <literal>CREATEROLE</literal> to users not warranting this
almost-superuser ability, use the first pattern instead.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
Remove the public schema from <varname>search_path</varname> in Remove the public schema from the default search path, by modifying
<link linkend="config-setting-configuration-file"><filename>postgresql.conf</filename></link>. <link linkend="config-setting-configuration-file"><filename>postgresql.conf</filename></link>
The ensuing user experience matches the previous pattern. In addition or by issuing <literal>ALTER ROLE ALL SET search_path =
to that pattern's implications for functions "$user"</literal>. Everyone retains the ability to create objects in
and <literal>CREATEROLE</literal>, this trusts database owners the public schema, but only qualified names will choose those objects.
like <literal>CREATEROLE</literal>. If you create functions or While qualified table references are fine, calls to functions in the
extensions in the public schema or assign public schema <link linkend="typeconv-func">will be unsafe or
the <literal>CREATEROLE</literal> unreliable</link>. If you create functions or extensions in the public
privilege, <literal>CREATEDB</literal> privilege or individual database schema, use the first pattern instead. Otherwise, like the first
ownership to users not warranting almost-superuser access, use the pattern, this is secure unless an untrusted user is the database owner
first pattern instead . or holds the <literal>CREATEROLE</literal> privilege .
</para> </para>
</listitem> </listitem>
@ -3067,10 +3068,9 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
<para> <para>
Keep the default. All users access the public schema implicitly. This Keep the default. All users access the public schema implicitly. This
simulates the situation where schemas are not available at all, giving simulates the situation where schemas are not available at all, giving
a smooth transition from the non-schema-aware world. However, any user a smooth transition from the non-schema-aware world. However, this is
can issue arbitrary queries under the identity of any user not electing never a secure pattern. It is acceptable only when the database has a
to protect itself individually. This pattern is acceptable only when single user or a few mutually-trusting users.
the database has a single user or a few mutually-trusting users.
</para> </para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
Noah Misch
6 years ago