| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: CREATE ROLE bug? |
| Date: | 2023-01-25 15:40:50 |
| Message-ID: | Y9FNgnfW7u8teYJ9@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Jan 25, 2023 at 07:38:51AM -0700, David G. Johnston wrote:
> On Wed, Jan 25, 2023 at 7:35 AM Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>
>
> So, how would someone with CREATEROLE permission add people to their own
> role, without superuser permission? Are we adding any security by
> preventing this?
>
>
>
> As an encouraged design choice you wouldn't. You'd create a new group and add
> both yourself and the new role to it - then grant it the desired permissions.
>
> A CREATEROLE role should probably be a user (LOGIN) role and user roles should
> not have members.
Makes sense. I was actually using that pattern, but in running some
test scripts that didn't revert back to the superuser, I saw the errors
and was confused.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
Embrace your flaws. They make you human, rather than perfect,
which you will never be.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Aleksander Alekseev | 2023-01-25 15:45:12 | [PATCH] Make ON CONFLICT DO NOTHING and ON CONFLICT DO UPDATE consistent |
| Previous Message | songjinzhou | 2023-01-25 15:39:00 | Re: Re: Support plpgsql multi-range in conditional control |