How to revoke access to custom schemas from public/anon/authenticated roles? #4246
Description
Hi,
I am following Harden Your Supabase: Lessons from Real-World Pentests. Under "Full Read SSRF via http / pg_net Extension Over RPC" it highlights that custom schemas are accessible from anon. I tested this and it is the case for me which does not seem secure.
I tried to run:
revoke usage on schema net from anon, authenticated;
revoke execute on all functions in schema net from anon, authenticated;
alter default privileges in schema net revoke execute on functions from anon;
alter default privileges in schema net revoke execute on functions from authenticated;
alter role authenticator set pgrst.db_schemas = 'public,storage';
notify pgrst, 'reload config';
But was met with: postgres@postgres WARNING: no privileges could be revoked for "net".
This is because custom schemas are owned by the superuser superbase_admin, and the postgres role is not a superuser.
How can I revoke access to my custom schemas? Feels like something the security advisor ought to mention.
Thanks.