On Wed, Jun 29, 2011 at 1:20 PM, David Fetter <da...@fetter.org> wrote: > On Wed, Jun 29, 2011 at 11:50:38AM -0400, Alvaro Herrera wrote: >> Excerpts from Andrew Dunstan's message of mié jun 29 11:21:12 -0400 2011: >> > >> > I was just reading the docs on default privileges, and they say this: >> > >> > Depending on the type of object, the initial default privileges >> > might include granting some privileges to PUBLIC. The default is no >> > public access for tables, columns, schemas, and tablespaces; CONNECT >> > privilege and TEMP table creation privilege for databases; EXECUTE >> > privilege for functions; and USAGE privilege for languages. The >> > object owner can of course revoke these privileges. >> > >> > >> > I had to read it several times before I understood it properly, so I'm >> > not terribly happy with it. I'm thinking of revising it slightly like this: >> > >> > Depending on the type of object, the initial default privileges >> > might include granting some privileges to PUBLIC, including CONNECT >> > privilege and TEMP table creation privilege for databases, EXECUTE >> > privilege for functions, and USAGE privilege for languages. For >> > tables, columns, schemas and tablespaces the default is no public >> > access. The object owner can of course revoke any default PUBLIC >> > privileges. >> >> Some types of objects [have/include/grant] no privileges to PUBLIC by >> default. These are tables, columns, schemas and tablespaces. For other >> types, the default privileges granted to PUBLIC are as follows: CONNECT >> privilege and TEMP table creation privilege for databases; EXECUTE >> privilege for functions; and USAGE privilege for languages. The object >> owner can, of course, revoke [these/any default] privileges. > > How about this? > > Some types of objects deny all privileges to PUBLIC by default. These > are tables, columns, schemas and tablespaces. For other types, the > default privileges granted to PUBLIC are as follows: CONNECT privilege > and TEMP table creation privilege for databases; EXECUTE privilege for > functions; and USAGE privilege for languages. The object owner can, > of course, revoke both default and expressly granted privileges.
Or, since I find the use of the word "deny" a bit unclear: When a table, column, schema, or tablespace is created, no privileges are granted to PUBLIC. But for other objects, some privileges will be granted to PUBLIC automatically at the time the object is created: CONNECT privilege and TEMP table creation privilege for database, ... <etc., the rest as you have it> -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
