@@ -2390,67 +2390,67 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
23902390 <title>Usage Patterns</title>
23912391
23922392 <para>
2393- Schemas can be used to organize your data in many ways. There are a few
2394- usage patterns easily supported by the default configuration, only one of
2395- which suffices when database users mistrust other database users:
2393+ Schemas can be used to organize your data in many ways.
2394+ A <firstterm>secure schema usage pattern</firstterm> prevents untrusted
2395+ users from changing the behavior of other users' queries. When a database
2396+ does not use a secure schema usage pattern, users wishing to securely
2397+ query that database would take protective action at the beginning of each
2398+ session. Specifically, they would begin each session by
2399+ setting <varname>search_path</varname> to the empty string or otherwise
2400+ removing non-superuser-writable schemas
2401+ from <varname>search_path</varname>. There are a few usage patterns
2402+ easily supported by the default configuration:
23962403 <itemizedlist>
23972404 <listitem>
23982405 <!-- "DROP SCHEMA public" is inferior to this REVOKE, because pg_dump
2399- doesn't preserve that DROP. -->
2406+ doesn't preserve that DROP.
2407+
2408+ A database owner can attack the database's users via "CREATE SCHEMA
2409+ trojan; ALTER DATABASE $mydb SET search_path = trojan, public;". A
2410+ CREATEROLE user can issue "GRANT $dbowner TO $me" and then use the
2411+ database owner attack. -->
24002412 <para>
24012413 Constrain ordinary users to user-private schemas. To implement this,
24022414 issue <literal>REVOKE CREATE ON SCHEMA public FROM PUBLIC</literal>,
2403- and create a schema for each user with the same name as that user. If
2404- affected users had logged in before this, consider auditing the public
2415+ and create a schema for each user with the same name as that user.
2416+ Recall that the default search path starts
2417+ with <literal>$user</literal>, which resolves to the user name.
2418+ Therefore, if each user has a separate schema, they access their own
2419+ schemas by default. After adopting this pattern in a database where
2420+ untrusted users had already logged in, consider auditing the public
24052421 schema for objects named like objects in
2406- schema <literal>pg_catalog</literal>.Recall that the default search
2407- path starts with <literal>$user</literal>, which resolves to theuser
2408- name. Therefore, if each user has a separate schema, they access their
2409- own schemas by default .
2422+ schema <literal>pg_catalog</literal>.This pattern is a secure schema
2423+ usage pattern unless an untrusted user is thedatabase owner or holds
2424+ the <literal>CREATEROLE</literal> privilege, in which case no secure
2425+ schema usage pattern exists .
24102426 </para>
2411- </listitem>
2412-
2413- <listitem>
24142427 <para>
2415- Remove the public schema from each user's default search path
2416- using <literal>ALTER ROLE <replaceable>user</replaceable> SET
2417- search_path = "$user"</literal>. Everyone retains the ability to
2418- create objects in the public schema, but only qualified names will
2419- choose those objects. While qualified table references are fine, calls
2420- to functions in the public schema <link linkend="typeconv-func">will be
2421- unsafe or unreliable</link>. Also, a user holding
2422- the <literal>CREATEROLE</literal> privilege can undo this setting and
2423- issue arbitrary queries under the identity of users relying on the
2424- setting. If you create functions or extensions in the public schema or
2425- grant <literal>CREATEROLE</literal> to users not warranting this
2426- almost-superuser ability, use the first pattern instead.
24272428 </para>
24282429 </listitem>
24292430
24302431 <listitem>
24312432 <para>
2432- Remove the public schema from<varname>search_path</varname> in
2433- <link linkend="config-setting-configuration-file"><filename>postgresql.conf</filename></link>.
2434- The ensuing user experience matches the previous pattern. In addition
2435- to that pattern's implications for functions
2436- and <literal>CREATEROLE</literal>, this trusts database owners
2437- like <literal>CREATEROLE</literal>. If you create functionsor
2438- extensions in the public schema or assign
2439- the <literal>CREATEROLE</literal>
2440- privilege, <literal>CREATEDB</literal> privilege or individual database
2441- ownership to users not warranting almost-superuser access, use the
2442- first pattern instead .
2433+ Remove the public schema fromthe default search path, by modifying
2434+ <link linkend="config-setting-configuration-file"><filename>postgresql.conf</filename></link>
2435+ or by issuing <literal>ALTER ROLE ALL SET search_path =
2436+ "$user"</literal>. Everyone retains the ability to create objects in
2437+ the public schema, but only qualified names will choose those objects.
2438+ While qualified table references are fine, calls to functionsin the
2439+ public schema <link linkend="typeconv-func">will be unsafe or
2440+ unreliable</link>. If you create functions or extensions in the public
2441+ schema, use the first pattern instead. Otherwise, like the first
2442+ pattern, this is secure unless an untrusted user is the database owner
2443+ or holds the <literal>CREATEROLE</literal> privilege .
24432444 </para>
24442445 </listitem>
24452446
24462447 <listitem>
24472448 <para>
24482449 Keep the default. All users access the public schema implicitly. This
24492450 simulates the situation where schemas are not available at all, giving
2450- a smooth transition from the non-schema-aware world. However, any user
2451- can issue arbitrary queries under the identity of any user not electing
2452- to protect itself individually. This pattern is acceptable only when
2453- the database has a single user or a few mutually-trusting users.
2451+ a smooth transition from the non-schema-aware world. However, this is
2452+ never a secure pattern. It is acceptable only when the database has a
2453+ single user or a few mutually-trusting users.
24542454 </para>
24552455 </listitem>
24562456 </itemizedlist>