Re: Superuser can't revoke role granted by non-superuser

From: Kirill Reshke <reshkekirill(at)gmail(dot)com>
To: Alexander Kukushkin <cyberdemn(at)gmail(dot)com>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: Superuser can't revoke role granted by non-superuser
Date: 2025-01-27 09:20:00
Message-ID: CALdSSPjrXoUM3VJ-o_H6NEhGXvqDR3jf8VohpMxy1J2hfYDo1w@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On Mon, 27 Jan 2025 at 13:49, Alexander Kukushkin <cyberdemn(at)gmail(dot)com> wrote:
>
> Hi,
>
> Here is a self-contained example with 17.2, however I assume that 16 and master will exhibit similar behaviour.
>
> postgres=# create user a with createrole;
> CREATE ROLE
> postgres=# create user b with createrole;
> CREATE ROLE
> postgres=# set role a;
> SET
> postgres=> create user aa;
> CREATE ROLE
> postgres=> set role b;
> SET
> postgres=> create user bb;
> CREATE ROLE
> postgres=> grant bb to aa;
> GRANT ROLE
> postgres=> \drg
> List of role grants
> Role name | Member of | Options | Grantor
> -----------+-----------+--------------+----------
> a | aa | ADMIN | postgres
> aa | bb | INHERIT, SET | b
> b | bb | ADMIN | postgres
> (3 rows)
>
> postgres=> reset role;
> RESET
> postgres=# revoke bb from aa;
> WARNING: role "aa" has not been granted membership in role "bb" by role "postgres"
> REVOKE ROLE
> postgres=# \drg
> List of role grants
> Role name | Member of | Options | Grantor
> -----------+-----------+--------------+----------
> a | aa | ADMIN | postgres
> aa | bb | INHERIT, SET | b
> b | bb | ADMIN | postgres
> (3 rows)
>
> IMO, superusers should be able to revoke privileges it didn't grant.
>
> Regards,
> --
> Alexander Kukushkin

Reproduced this at cf5eb37 (and not on its parent f026c16)
There was some huge refactoring around user.c and particularly
`check_role_grantor` function. I'm trying to comprehend.

--
Best regards,
Kirill Reshke

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Alexander Kukushkin 2025-01-27 09:22:58 Re: Superuser can't revoke role granted by non-superuser
Previous Message Alexander Kukushkin 2025-01-27 08:49:19 Superuser can't revoke role granted by non-superuser