On Mon, Aug 3, 2020 at 2:30 AM Noah Misch <n...@leadboat.com> wrote: > Between (b)(2)(X) and (b)(3)(X), what are folks' preferences? Does anyone > strongly favor some other option (including the option of changing nothing) > over both of those two?
I don't think we have any options here that are secure but do not break backward compatibility. The present situation, with a writable public schema, is equivalent to a UNIX system in which /usr/bin is drwxrwxrwt. Nobody would seriously propose that such a system design is secure, not so much because it's intrinsically broken if everyone is careful not to execute any executables they don't know to have been deposited by people they trust, but because it's quite easy to accidentally execute one that isn't. However, if people are used to being able to deposit stuff in /usr/bin and you tell them that they now can't (because the permissions will henceforth be drwxr-xr-x or the directly won't exist at all) then some of them are going to complain. I don't know what to do about that: it's a straightforward trade-off between security and backward compatibility, and you can't have both. I support the idea of having an automatic schema creation option. I think that would be quite a cool thing to have, whether it's the default (Y) or not (Z). But I don't know how to choose between (1), (2), and (3). -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company