BUG #1113: Default template databases grant CREATE to PUBLIC

The following bug has been logged online:

Bug reference:      1113
Logged by:          Oliver Elphick

Email address:      postgresql@packages.debian.org

PostgreSQL version: 7.4

Operating system:   Debian Linux

Description:        Default template databases grant CREATE to PUBLIC

Details:

The default database created by initdb (in template0 and template1) grants
CREATE permission on the public schema to PUBLIC.  Therefore any user is
able to create a table or function, including a function that can bring down
the machine by (for example) recursively calling itself.  By default, any
user can create objects in template1, as well.

The default should be for CREATE permissions on the public schema to be
revoked from PUBLICc.

This might break old applications which have not been updated to take
account of schemas; the workaround for them would be to grant permissions in
template1.public as appropriate.

Debian bug ref: #239811