Arrange for the default permissions on a database to allow temp table

creation to world, but disallow temp table creation in template1. Per latest round of pghackers discussion. I did not force initdb, but the permissions lockdown on template1 will not take effect unless you do one (or manually REVOKE TEMP ON DATABASE template1 FROM public).

Arrange for the default permissions on a database to allow temp table
creation to world, but disallow temp table creation in template1. Per latest round of pghackers discussion. I did not force initdb, but the permissions lockdown on template1 will not take effect unless you do one (or manually REVOKE TEMP ON DATABASE template1 FROM public).
d61de589 · Tom Lane · c7d07b5a · d61de589 · d61de589 · d61de589
Commit d61de589 authored Sep 03, 2002 by Tom Lane
4 changed files
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.28 2002/08/12 20:02:09 petere Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.29 2002/09/03 22:17:34 tgl Exp $
 PostgreSQL documentation
 -->

@@ -292,11 +292,13 @@ GRANT SELECT,UPDATE,INSERT ON mytable TO GROUP todos;
   <para>
   If the <quote>Access privileges</> column is empty for a given object,
 it means the object has default privileges (that is, its privileges field
-is NULL).  Currently, default privileges are interpreted the same way
-for all object types: all privileges for the owner and no privileges for
-anyone else.  The first <command>GRANT</> on an object will instantiate
-this default (producing, for example, <literal>{=,miriam=arwdRxt}</>)
-and then modify it per the specified request.
+is NULL).  Currently, default privileges are interpreted as <quote>all
+privileges for the owner and no privileges for anyone else</quote>, except
+for databases: the default privilege settings for a database allow anyone
+to create temporary tables in it.  The first <command>GRANT</> or
+<command>REVOKE</> on an object
+will instantiate the default privileges (producing, for example,
+<literal>{=,miriam=arwdRxt}</>) and then modify them per the specified request.
   </para>
 </refsect1>


--- a/src/backend/commands/dbcommands.c
+++ b/src/backend/commands/dbcommands.c
@@ -9,7 +9,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/dbcommands.c,v 1.103 2002/09/03 21:45:41 petere Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/dbcommands.c,v 1.104 2002/09/03 22:17:34 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -328,7 +328,12 @@ createdb(const CreatedbStmt *stmt)
 	/* do not set datpath to null, GetRawDatabaseInfo won't cope */
 	new_record[Anum_pg_database_datpath - 1] =
 		DirectFunctionCall1(textin, CStringGetDatum(dbpath ? dbpath : ""));
-
+	/*
+	 * We deliberately set datconfig and datacl to defaults (NULL), rather
+	 * than copying them from the template database.  Copying datacl would
+	 * be a bad idea when the owner is not the same as the template's owner.
+	 * It's more debatable whether datconfig should be copied.
+	 */
 	new_record_nulls[Anum_pg_database_datconfig - 1] = 'n';
 	new_record_nulls[Anum_pg_database_datacl - 1] = 'n';


--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/utils/adt/acl.c,v 1.77 2002/08/27 03:56:35 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/utils/adt/acl.c,v 1.78 2002/09/03 22:17:35 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -396,7 +396,7 @@ aclitemgt(const AclItem *a1, const AclItem *a2)
 * acldefault()  --- create an ACL describing default access permissions
 *
 * Change this routine if you want to alter the default access policy for
- * newly-created tables (or any table with a NULL acl entry in pg_class)
+ * newly-created objects (or any object with a NULL acl entry).
 */
 Acl *
 acldefault(GrantObjectType objtype, AclId ownerid)
@@ -413,7 +413,7 @@ acldefault(GrantObjectType objtype, AclId ownerid)
 			owner_default = ACL_ALL_RIGHTS_RELATION;
 			break;
 		case ACL_OBJECT_DATABASE:
-			world_default = ACL_NO_RIGHTS;
+			world_default = ACL_CREATE_TEMP; /* not NO_RIGHTS! */
 			owner_default = ACL_ALL_RIGHTS_DATABASE;
 			break;
 		case ACL_OBJECT_FUNCTION:

--- a/src/bin/initdb/initdb.sh
+++ b/src/bin/initdb/initdb.sh
@@ -27,7 +27,7 @@
 # Portions Copyright (c) 1996-2002, PostgreSQL Global Development Group
 # Portions Copyright (c) 1994, Regents of the University of California
 #
-# $Header: /cvsroot/pgsql/src/bin/initdb/Attic/initdb.sh,v 1.171 2002/09/03 21:45:43 petere Exp $
+# $Header: /cvsroot/pgsql/src/bin/initdb/Attic/initdb.sh,v 1.172 2002/09/03 22:17:35 tgl Exp $
 #
 #-------------------------------------------------------------------------

@@ -1064,6 +1064,14 @@ UPDATE pg_database SET \
 UPDATE pg_database SET datlastsysoid = \
    (SELECT oid - 1 FROM pg_database WHERE datname = 'template0');

+-- Explicitly revoke public create-schema and create-temp-table privileges
+-- in template1 and template0; else the latter would be on by default
+
+REVOKE CREATE,TEMPORARY ON DATABASE template1 FROM public;
+REVOKE CREATE,TEMPORARY ON DATABASE template0 FROM public;
+
+-- Finally vacuum to clean up dead rows in pg_database
+
 VACUUM FULL pg_database;
 EOF
 if [ "$?" -ne 0 ]; then