| From: | Alexander Kukushkin <cyberdemn(at)gmail(dot)com> |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Superuser can't revoke role granted by non-superuser |
| Date: | 2025-01-27 08:49:19 |
| Message-ID: | CAFh8B=nCyWbxgD9uF5x7NV8y8PGvH_1t6wAfNQkjRnzEhN7OGA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Hi,
Here is a self-contained example with 17.2, however I assume that 16 and
master will exhibit similar behaviour.
postgres=# create user a with createrole;
CREATE ROLE
postgres=# create user b with createrole;
CREATE ROLE
postgres=# set role a;
SET
postgres=> create user aa;
CREATE ROLE
postgres=> set role b;
SET
postgres=> create user bb;
CREATE ROLE
postgres=> grant bb to aa;
GRANT ROLE
postgres=> \drg
List of role grants
Role name | Member of | Options | Grantor
-----------+-----------+--------------+----------
a | aa | ADMIN | postgres
aa | bb | INHERIT, SET | b
b | bb | ADMIN | postgres
(3 rows)
postgres=> reset role;
RESET
postgres=# revoke bb from aa;
WARNING: role "aa" has not been granted membership in role "bb" by role
"postgres"
REVOKE ROLE
postgres=# \drg
List of role grants
Role name | Member of | Options | Grantor
-----------+-----------+--------------+----------
a | aa | ADMIN | postgres
aa | bb | INHERIT, SET | b
b | bb | ADMIN | postgres
(3 rows)
IMO, superusers should be able to revoke privileges it didn't grant.
Regards,
--
Alexander Kukushkin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kirill Reshke | 2025-01-27 09:20:00 | Re: Superuser can't revoke role granted by non-superuser |
| Previous Message | Tom Lane | 2025-01-25 19:56:28 | Re: BUG #18782: Inconsistent behaviour with triggers and row level security - depends on prior number of inserts |