Re: Superuser can't revoke role granted by non-superuser

On Mon, 27 Jan 2025 at 14:23, Alexander Kukushkin <cyberdemn(at)gmail(dot)com> wrote:
>
>
> On Mon, 27 Jan 2025 at 10:20, Kirill Reshke <reshkekirill(at)gmail(dot)com> wrote:
>>
>> Reproduced this at cf5eb37 (and not on its parent f026c16)
>> There was some huge refactoring around user.c and particularly
>> `check_role_grantor` function. I'm trying to comprehend.
>
>
> I think the fix should look like:
> diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
> index 02824c32a49..29948d692b6 100644
> --- a/src/backend/commands/user.c
> +++ b/src/backend/commands/user.c
> @@ -2342,7 +2342,8 @@ plan_single_revoke(CatCList *memlist, RevokeRoleGrantAction *actions,
> authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);
>
> if (authmem_form->member == member &&
> - authmem_form->grantor == grantor)
> + (authmem_form->grantor == grantor ||
> + grantor == BOOTSTRAP_SUPERUSERID))
> {
> if ((popt->specified & GRANT_ROLE_SPECIFIED_INHERIT) != 0)
> {
>
I doubt this is a correct fix. The difference between cf5eb37 &
f026c16 behaviour is in who granted membership in role 'bb' to role
'aa'. In the case of f026c16 the role is 'b', while after it is
bootstrap superuser. Is this correct? If yes, why should we consider
BOOTSTRAP_SUPERUSERID in this if statement? Maybe there are some other
cases from which this will not guard?

--
Best regards,
Kirill Reshke