Re: Inherit Superuser Role Help

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Carlos Mennens <carlos(dot)mennens(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Inherit Superuser Role Help
Date: 2013-04-18 03:16:31
Message-ID: 18658.1366254991@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Carlos Mennens <carlos(dot)mennens(at)gmail(dot)com> writes:
> Shouldn't 'carlos' be a superuser based on him being a member of a
> role which has createdb and superuser rights granted to it?

No. Superuserness is quite intentionally not inheritable.

It's perhaps a bit more debatable whether other role privilege bits such
as CREATEDB ought to be inheritable. The position we've taken though
is that only grant-able rights inherit via GRANT ROLE.

This is documented under CREATE ROLE:

The INHERIT attribute governs inheritance of grantable privileges (that
is, access privileges for database objects and role memberships). It
does not apply to the special role attributes set by CREATE ROLE and
ALTER ROLE. For example, being a member of a role with CREATEDB
privilege does not immediately grant the ability to create databases,
even if INHERIT is set; it would be necessary to become that role via
SET ROLE before creating a database.

regards, tom lane

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Atri Sharma 2013-04-18 07:54:58 Emulating trigger BEFORE SELECT behavior
Previous Message Carlos Mennens 2013-04-18 03:06:18 Inherit Superuser Role Help