Tom Lane wrote:
> Kenneth Downs <ken(at)secdat(dot)com> writes:
>
>> Except for the hole. On a public site that lets users register, we have
>> to have way to let the web server assume the role of somebody who has
>> createuser privelege, and that's pretty much the end of the no-root
>> policy. If an exploit could be placed, it could simply go into that
>> mode and create a superuser.
>>
>
>
>> What would be really nice is if you could limit the ability of
>> CREATEUSER to grant roles.
>>
>
> I believe that a role that has CREATEROLE but not SUPERUSER can only
> create non-SUPERUSER roles. Does that help?
>
> regards, tom lane
>
Probably not. The problem is that a person with createrole can create
any role, so by mistake or exploit a user can be given admin access
(admin here defined by roles given, not by SUPERUSER flag) to another
database by a role that itself is supposed to be a public-only mostly
read-only role.