From c69616c9386003fd62692bd33003a136e04b5e40 Mon Sep 17 00:00:00 2001 From: Bruce Momjian Date: Thu, 21 Jul 2022 13:43:13 -0400 Subject: [PATCH] relnotes: improve PG 15 schema permission change wording Reported-by: Noah Misch Discussion: https://postgr.es/m/20220630050808.GC2257984@rfd.leadboat.com Backpatch-through: 15 only --- doc/src/sgml/release-15.sgml | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/doc/src/sgml/release-15.sgml b/doc/src/sgml/release-15.sgml index 1cf6375ed1d..cebc124ba4e 100644 --- a/doc/src/sgml/release-15.sgml +++ b/doc/src/sgml/release-15.sgml @@ -58,16 +58,20 @@ Author: Noah Misch - This is a change in the default for newly-created databases in - existing clusters and for new clusters; USAGE - permissions on the public schema has not - been changed. Databases restored from previous Postgres releases - will be restored with their current permissions. Users wishing - to have the former permissions will need to grant - CREATE permission for PUBLIC - on the public schema; this change can be made - on template1 to cause all new databases - to have these permissions. + The new default is one of the secure schema usage patterns that has recommended since the security + release for CVE-2018-1058. The change applies to newly-created + databases in existing clusters and for new clusters. Upgrading a + cluster or restoring a database dump will preserve existing permissions. + + + + For existing databases, especially those having multiple users, + consider revoking CREATE permission on + the public schema to adopt this new default. + For new databases having zero need to defend against insider threats, + granting CREATE permission will yield the behavior + of prior releases.