Re: User with "almost" superuser privileges

Hi Brauner,

Thanks for your response. What I'm doing now is that, I create a user:

create user admin with password 'password' createdb createrole createuser;

And then grant some privleges, e.g.:

grant execute on function current_setting(setting_name text) to admin with
grant option;

I'm grating all the functionality this "almost superuser" needs, expect the
functions I disallow (like pg_ls_dir for example). But I still don't know
if I'm granting all the functionality a superuser has. What would be great
is some documentation explaining a bit more what a superuser is able to do.
Unfortunately, I haven't found any. All I have found is some random "you
need to be superuser to do this", but not a complete list of what a
superuser can do...

Cheers,

Daniel

On 18 July 2013 15:41, Brauner Oliveira <brauner(dot)rno(at)gmail(dot)com> wrote:

> A SUPERUSER will bypass every database privileges (if it have a right
> entry in pg_hba), so if you want to create an "almost superuser" you'll
> have to look at GRANT<http://www.postgresql.org/docs/9.2/static/sql-grant.html>and
> REVOKE <http://www.postgresql.org/docs/9.2/static/sql-revoke.html> (that
> have no effect to superusers). You may also create a role with CREATEDB
> then create the database you want. Take a look at:
> http://www.postgresql.org/docs/9.2/static/ddl-priv.html.
>
> I hope this has helped, sorry for my bad english.
>
> brno
>
>
> 2013/7/18 Daniel Gomez Blanco <nanodgb(at)gmail(dot)com>
>
>> Hello,
>>
>> I'd like to create a user that is almost a superuser, but without some
>> privileges. I cannot create a superuser and then revoke privileges from
>> them, because by definition nothing can be revoked from superusers. So how
>> can I know what a superuser is able to execute compared to a user with the
>> rest of attributes, but without superuser? If I knew this I could grant
>> those privileges after I create the user.
>>
>> Cheers,
>>
>> Daniel
>>
>
>