| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Michael(dot)Dietrich(at)swisscom(dot)com, pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Connect to db denied for superuser inherited by group |
| Date: | 2018-03-16 15:08:03 |
| Message-ID: | CAKFQuwZJ3Vf9ftUnr2oK5j+EO+vQ9ZwrhpfM-1oJ8Nwxk81JBw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Fri, Mar 16, 2018 at 7:52 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > * Michael(dot)Dietrich(at)swisscom(dot)com (Michael(dot)Dietrich(at)swisscom(dot)com) wrote:
> >> 2) User without superuser privileges uses a role with superuser rights
> (usage confirmed with SHOW current_role.)
>
> > Please provide more details about what this step #2 actually means.
>
> If you mean that you did "GRANT superuserrole TO nonsuperuser", this
> does not make "nonsuperuser" into a superuser; it merely allows
> "nonsuperuser" to use whatever ordinary privileges might've been
> granted to "superuserrole".
IOW, the privileges on the "CREATE ROLE" page are not inheritable -
inheritance only applies to privileges that are GRANT'ed
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heinemann, Manfred (IMS) | 2018-03-16 21:09:52 | RE: Function search_path |
| Previous Message | Tom Lane | 2018-03-16 14:52:44 | Re: Connect to db denied for superuser inherited by group |