Bruno Wolff III <br...@wolff.to> writes:
> On Wed, Oct 19, 2022 at 23:30:58 +0200,
> Thomas Kellerer <sham...@gmx.net> wrote:
>> This is explained in the release notes:
>>
>> The change applies to new database clusters and to newly-created
>> databases in existing clusters.
>> Upgrading a cluster or restoring a database dump will preserve
>> public's existing permissions.
> How do new databases in pre-existing clusters get the new public schema
> security if it doesn't come from template1?
The release notes could probably use some tweaking here. It looks to
me like pg_dumpall (and hence pg_upgrade) will adjust the ownership and
permissions of template1's public schema to match what was in the old
installation, but it doesn't touch template0. Hence, whether a
"newly-created database in an existing cluster" has the old or new
properties of the public schema will depend on whether you clone it
from template1 or template0. That definitely needs explained, and
maybe we should recommend that DBAs consider manually changing
what's in template1.
regards, tom lane
