| From: | Alexander Kukushkin <cyberdemn(at)gmail(dot)com> |
|---|---|
| To: | Kirill Reshke <reshkekirill(at)gmail(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: Superuser can't revoke role granted by non-superuser |
| Date: | 2025-01-27 10:13:47 |
| Message-ID: | CAFh8B=k0dciS9gQjF=KANv5REwe+8XqKLyUTuWfMP7DY8xsJVg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Mon, 27 Jan 2025 at 10:37, Kirill Reshke <reshkekirill(at)gmail(dot)com> wrote:
> I doubt this is a correct fix. The difference between cf5eb37 &
> f026c16 behaviour is in who granted membership in role 'bb' to role
> 'aa'. In the case of f026c16 the role is 'b', while after it is
> bootstrap superuser. Is this correct? If yes, why should we consider
> BOOTSTRAP_SUPERUSERID in this if statement? Maybe there are some other
> cases from which this will not guard?
>
Or... Maybe it is actually working like this by design.
There are UNIQUE constraints on pg_auth_members (member, roleid, grantor)
columns.
Therefore function explicitly searching for a tuple with exact match of
member and grantor.
Also, REVOKE syntax was extended to support GRANTED BY.
E.g. superuser is supposed to use "revoke bb from aa granted by b"
Regards,
--
Alexander Kukushkin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2025-01-27 14:43:13 | Re: Superuser can't revoke role granted by non-superuser |
| Previous Message | Julian Wreford | 2025-01-27 09:45:25 | Re: BUG #18782: Inconsistent behaviour with triggers and row level security - depends on prior number of inserts |