@@ -2378,67 +2378,67 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
23782378 <title>Usage Patterns</title>
23792379
23802380 <para>
2381- Schemas can be used to organize your data in many ways. There are a few
2382- usage patterns easily supported by the default configuration, only one of
2383- which suffices when database users mistrust other database users:
2381+ Schemas can be used to organize your data in many ways.
2382+ A <firstterm>secure schema usage pattern</firstterm> prevents untrusted
2383+ users from changing the behavior of other users' queries. When a database
2384+ does not use a secure schema usage pattern, users wishing to securely
2385+ query that database would take protective action at the beginning of each
2386+ session. Specifically, they would begin each session by
2387+ setting <varname>search_path</varname> to the empty string or otherwise
2388+ removing non-superuser-writable schemas
2389+ from <varname>search_path</varname>. There are a few usage patterns
2390+ easily supported by the default configuration:
23842391 <itemizedlist>
23852392 <listitem>
23862393 <!-- "DROP SCHEMA public" is inferior to this REVOKE, because pg_dump
2387- doesn't preserve that DROP. -->
2394+ doesn't preserve that DROP.
2395+
2396+ A database owner can attack the database's users via "CREATE SCHEMA
2397+ trojan; ALTER DATABASE $mydb SET search_path = trojan, public;". A
2398+ CREATEROLE user can issue "GRANT $dbowner TO $me" and then use the
2399+ database owner attack. -->
23882400 <para>
23892401 Constrain ordinary users to user-private schemas. To implement this,
23902402 issue <literal>REVOKE CREATE ON SCHEMA public FROM PUBLIC</literal>,
2391- and create a schema for each user with the same name as that user. If
2392- affected users had logged in before this, consider auditing the public
2403+ and create a schema for each user with the same name as that user.
2404+ Recall that the default search path starts
2405+ with <literal>$user</literal>, which resolves to the user name.
2406+ Therefore, if each user has a separate schema, they access their own
2407+ schemas by default. After adopting this pattern in a database where
2408+ untrusted users had already logged in, consider auditing the public
23932409 schema for objects named like objects in
2394- schema <literal>pg_catalog</literal>.Recall that the default search
2395- path starts with <literal>$user</literal>, which resolves to theuser
2396- name. Therefore, if each user has a separate schema, they access their
2397- own schemas by default .
2410+ schema <literal>pg_catalog</literal>.This pattern is a secure schema
2411+ usage pattern unless an untrusted user is thedatabase owner or holds
2412+ the <literal>CREATEROLE</literal> privilege, in which case no secure
2413+ schema usage pattern exists .
23982414 </para>
2399- </listitem>
2400-
2401- <listitem>
24022415 <para>
2403- Remove the public schema from each user's default search path
2404- using <literal>ALTER ROLE <replaceable>user</replaceable> SET
2405- search_path = "$user"</literal>. Everyone retains the ability to
2406- create objects in the public schema, but only qualified names will
2407- choose those objects. While qualified table references are fine, calls
2408- to functions in the public schema <link linkend="typeconv-func">will be
2409- unsafe or unreliable</link>. Also, a user holding
2410- the <literal>CREATEROLE</literal> privilege can undo this setting and
2411- issue arbitrary queries under the identity of users relying on the
2412- setting. If you create functions or extensions in the public schema or
2413- grant <literal>CREATEROLE</literal> to users not warranting this
2414- almost-superuser ability, use the first pattern instead.
24152416 </para>
24162417 </listitem>
24172418
24182419 <listitem>
24192420 <para>
2420- Remove the public schema from<varname>search_path</varname> in
2421- <link linkend="config-setting-configuration-file"><filename>postgresql.conf</filename></link>.
2422- The ensuing user experience matches the previous pattern. In addition
2423- to that pattern's implications for functions
2424- and <literal>CREATEROLE</literal>, this trusts database owners
2425- like <literal>CREATEROLE</literal>. If you create functionsor
2426- extensions in the public schema or assign
2427- the <literal>CREATEROLE</literal>
2428- privilege, <literal>CREATEDB</literal> privilege or individual database
2429- ownership to users not warranting almost-superuser access, use the
2430- first pattern instead .
2421+ Remove the public schema fromthe default search path, by modifying
2422+ <link linkend="config-setting-configuration-file"><filename>postgresql.conf</filename></link>
2423+ or by issuing <literal>ALTER ROLE ALL SET search_path =
2424+ "$user"</literal>. Everyone retains the ability to create objects in
2425+ the public schema, but only qualified names will choose those objects.
2426+ While qualified table references are fine, calls to functionsin the
2427+ public schema <link linkend="typeconv-func">will be unsafe or
2428+ unreliable</link>. If you create functions or extensions in the public
2429+ schema, use the first pattern instead. Otherwise, like the first
2430+ pattern, this is secure unless an untrusted user is the database owner
2431+ or holds the <literal>CREATEROLE</literal> privilege .
24312432 </para>
24322433 </listitem>
24332434
24342435 <listitem>
24352436 <para>
24362437 Keep the default. All users access the public schema implicitly. This
24372438 simulates the situation where schemas are not available at all, giving
2438- a smooth transition from the non-schema-aware world. However, any user
2439- can issue arbitrary queries under the identity of any user not electing
2440- to protect itself individually. This pattern is acceptable only when
2441- the database has a single user or a few mutually-trusting users.
2439+ a smooth transition from the non-schema-aware world. However, this is
2440+ never a secure pattern. It is acceptable only when the database has a
2441+ single user or a few mutually-trusting users.
24422442 </para>
24432443 </listitem>
24442444 </itemizedlist>