From: | Kirill Reshke <reshkekirill(at)gmail(dot)com> |
---|---|
To: | Alexander Kukushkin <cyberdemn(at)gmail(dot)com> |
Cc: | pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: Superuser can't revoke role granted by non-superuser |
Date: | 2025-01-27 09:20:00 |
Message-ID: | CALdSSPjrXoUM3VJ-o_H6NEhGXvqDR3jf8VohpMxy1J2hfYDo1w@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On Mon, 27 Jan 2025 at 13:49, Alexander Kukushkin <cyberdemn(at)gmail(dot)com> wrote:
>
> Hi,
>
> Here is a self-contained example with 17.2, however I assume that 16 and master will exhibit similar behaviour.
>
> postgres=# create user a with createrole;
> CREATE ROLE
> postgres=# create user b with createrole;
> CREATE ROLE
> postgres=# set role a;
> SET
> postgres=> create user aa;
> CREATE ROLE
> postgres=> set role b;
> SET
> postgres=> create user bb;
> CREATE ROLE
> postgres=> grant bb to aa;
> GRANT ROLE
> postgres=> \drg
> List of role grants
> Role name | Member of | Options | Grantor
> -----------+-----------+--------------+----------
> a | aa | ADMIN | postgres
> aa | bb | INHERIT, SET | b
> b | bb | ADMIN | postgres
> (3 rows)
>
> postgres=> reset role;
> RESET
> postgres=# revoke bb from aa;
> WARNING: role "aa" has not been granted membership in role "bb" by role "postgres"
> REVOKE ROLE
> postgres=# \drg
> List of role grants
> Role name | Member of | Options | Grantor
> -----------+-----------+--------------+----------
> a | aa | ADMIN | postgres
> aa | bb | INHERIT, SET | b
> b | bb | ADMIN | postgres
> (3 rows)
>
> IMO, superusers should be able to revoke privileges it didn't grant.
>
> Regards,
> --
> Alexander Kukushkin
Reproduced this at cf5eb37 (and not on its parent f026c16)
There was some huge refactoring around user.c and particularly
`check_role_grantor` function. I'm trying to comprehend.
--
Best regards,
Kirill Reshke
From | Date | Subject | |
---|---|---|---|
Next Message | Alexander Kukushkin | 2025-01-27 09:22:58 | Re: Superuser can't revoke role granted by non-superuser |
Previous Message | Alexander Kukushkin | 2025-01-27 08:49:19 | Superuser can't revoke role granted by non-superuser |