Hi. I've recently realized via a post (or article?) from Laurenz that the PUBLIC role has CREATE privilege on the 'public' schema by default (see query below). I guess it can't be avoided?
OK, then I'll REVOKE that privilege when creating a new DB.
Like I already revoked the default CONNECT to PUBLIC on the DB.
But I'm wondering about unexpected side-effets.
In particular, we need extensions, which are loaded in public by default.
Will USAGE of public be enough for LOGIN users having access to the DB to use extensions?
More broadly, we want to secure the DB so that all DB access and schema access are explicit.
Anything else to be aware of please, beside the two mentioned above?
Thanks, --DD
```
=> select grantor::regrole::text, case grantee when 0 then 'PUBLIC' else grantee::regrole::text end, privilege_type as priv, is_grantable as adm from pg_namespace, lateral aclexplode(nspacl) where nspname = 'public';
grantor | grantee | priv | adm
----------+----------+--------+-----
postgres | postgres | USAGE | f
postgres | postgres | CREATE | f
postgres | PUBLIC | USAGE | f
postgres | PUBLIC | CREATE | f
(4 rows)
```