Greg,
* Greg Fodor (gfodor@gmail.com) wrote:
> Apologies in advance about this since it is likely something obvious,
> but I am seeing some very basic behavior that does not make sense.
> I've tested this on a fresh build of 9.6rc1 and also 9.1.24 (just to
> see if it was a regression.) After creating a test database, and a
> test user that I revoke all privileges on the public schema to, yet
> that user is still able to create tables in the public schema. Revokes
> on other schemas work as expected, it seems the public schema is
> treated specially.
>
> https://gist.github.com/gfodor/c360683f25f55497c8c657255fd0e0f8
>
> Any help appreciated!
The privilege on the public schema was granted to "public" and therefore
must be revoked from "public" to remove that privilege. Revoking from
"guy" doesn't have any effect.
Note that if you revoke all privielges from 'public' then only users who
have been explicitly granted access will be able to create or *use* any
objects in the public schema.
Generally, I revoke CREATE rights from the public schema, but leave
USAGE rights, as I then put trusted extensions and other tools into the
public schema.
Thanks!
Stephen