| Lists: | pgsql-hackers |
|---|
| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | CREATEROLE, CREATEDB |
| Date: | 2007-06-05 14:04:44 |
| Message-ID: | 200706051604.44929.peter_e@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Is it correct that a user with CREATEROLE privilege but without CREATEDB
privilege can create a user with *CREATEDB* privilege, thus bypassing his
original restrictions? This sequence doesn't look right:
pei=# create user foo1 createrole;
CREATE ROLE
pei=# \c - foo1
You are now connected to database "pei" as user "foo1".
pei=> create database test;
ERROR: permission denied to create database
pei=> create user foo2 createdb;
CREATE ROLE
pei=> \c - foo2
You are now connected to database "pei" as user "foo2".
pei=> create database test;
CREATE DATABASE
--
Peter Eisentraut
http://developer.postgresql.org/~petere/
| From: | Bernd Helmle <mailings(at)oopsware(dot)de> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: CREATEROLE, CREATEDB |
| Date: | 2007-06-05 14:50:40 |
| Message-ID: | EFB9060AA8B7988D3C0175D6@imhotep.credativ.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
--On Dienstag, Juni 05, 2007 16:04:44 +0200 Peter Eisentraut
<peter_e(at)gmx(dot)net> wrote:
> Is it correct that a user with CREATEROLE privilege but without CREATEDB
> privilege can create a user with *CREATEDB* privilege, thus bypassing his
> original restrictions? This sequence doesn't look right:
>
> pei=# create user foo1 createrole;
> CREATE ROLE
> pei=# \c - foo1
> You are now connected to database "pei" as user "foo1".
> pei=> create database test;
> ERROR: permission denied to create database
> pei=> create user foo2 createdb;
> CREATE ROLE
> pei=> \c - foo2
> You are now connected to database "pei" as user "foo2".
> pei=> create database test;
> CREATE DATABASE
I had this issue once, too. CREATEROLE doesn't imply any inheritance from a
role which gots this privilege, thus you are required to treat such roles
much the same as superuser. This behavior is documented (well, at least in
8.2, haven't looked in 8.1):
<http://www.postgresql.org/docs/8.2/interactive/sql-createrole.html>
<snip>
Be careful with the CREATEROLE privilege. There is no concept of
inheritance for the privileges of a CREATEROLE-role. That means that even
if a role does not have a certain privilege but is allowed to create other
roles, it can easily create another role with different privileges than its
own (except for creating roles with superuser privileges). For example, if
the role "user" has the CREATEROLE privilege but not the CREATEDB
privilege, nonetheless it can create a new role with the CREATEDB
privilege. Therefore, regard roles that have the CREATEROLE privilege as
almost-superuser-roles.
</snip>
--
Thanks
Bernd
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Bernd Helmle <mailings(at)oopsware(dot)de> |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: CREATEROLE, CREATEDB |
| Date: | 2007-06-05 15:47:48 |
| Message-ID: | 17839.1181058468@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Bernd Helmle <mailings(at)oopsware(dot)de> writes:
> --On Dienstag, Juni 05, 2007 16:04:44 +0200 Peter Eisentraut
> <peter_e(at)gmx(dot)net> wrote:
>> Is it correct that a user with CREATEROLE privilege but without CREATEDB
>> privilege can create a user with *CREATEDB* privilege, thus bypassing his
>> original restrictions?
> I had this issue once, too. CREATEROLE doesn't imply any inheritance from a
> role which gots this privilege, thus you are required to treat such roles
> much the same as superuser. This behavior is documented (well, at least in
> 8.2, haven't looked in 8.1):
This is by design --- the point of CREATEROLE is that you can do
anything you want in the line of account management, without having
all the dangers inherent in being a real superuser. It's not something
you'd give out to people you didn't trust.
regards, tom lane
| From: | Chander Ganesan <chander(at)otg-nc(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: CREATEROLE, CREATEDB |
| Date: | 2007-06-05 19:29:14 |
| Message-ID: | 4665B98A.8010801@otg-nc.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Peter Eisentraut wrote:
> Is it correct that a user with CREATEROLE privilege but without CREATEDB
> privilege can create a user with *CREATEDB* privilege, thus bypassing his
> original restrictions? This sequence doesn't look right:
>
> pei=# create user foo1 createrole;
> CREATE ROLE
> pei=# \c - foo1
> You are now connected to database "pei" as user "foo1".
> pei=> create database test;
> ERROR: permission denied to create database
> pei=> create user foo2 createdb;
> CREATE ROLE
> pei=> \c - foo2
> You are now connected to database "pei" as user "foo2".
> pei=> create database test;
> CREATE DATABASE
>
>
that's how its documented:
http://www.postgresql.org/docs/8.2/interactive/sql-createrole.html
Be careful with the CREATEROLE privilege. There is no concept of
inheritance for the privileges of a CREATEROLE-role. That means that
even if a role does not have a certain privilege but is allowed to
create other roles, it can easily create another role with different
privileges than its own (except for creating roles with superuser
privileges). For example, if the role "user" has the CREATEROLE
privilege but not the CREATEDB privilege, nonetheless it can create a
new role with the CREATEDB privilege. Therefore, regard roles that have
the CREATEROLE privilege as almost-superuser-roles.
--
Chander Ganesan
The Open Technology Group
One Copley Parkway, Suite 210
Morrisville, NC 27560
Phone: 877-258-8987/919-463-0999
http://www.otg-nc.com