| Lists: | pgsql-general |
|---|
| From: | Joachim Wieland <joe(at)mcknight(dot)de> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Create role question |
| Date: | 2005-11-20 11:23:49 |
| Message-ID: | 20051120112349.GA2305@mcknight.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
Hi, I wonder if the following behavior is intentional or not:
template1=# create role r1 nocreatedb createrole;
CREATE ROLE
template1=# set role r1;
SET
template1=> create role r2 createdb;
CREATE ROLE
template1=> set role r2;
SET
template1=> create database d1;
CREATE DATABASE
So in effect, if you grant the CREATEROLE privilege, you automatically grant
CREATEDB as well... I haven't found a clear statement about that in the
documentation, but if it is intentional, the description of the CREATEROLE
privilege should contain a note about that.
One (or I at least) would have suspected that a role can only create other
roles with privileges it has been granted itself..
Joachim
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Joachim Wieland <joe(at)mcknight(dot)de> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Create role question |
| Date: | 2005-11-20 16:53:15 |
| Message-ID: | 28894.1132505595@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
Joachim Wieland <joe(at)mcknight(dot)de> writes:
> So in effect, if you grant the CREATEROLE privilege, you automatically grant
> CREATEDB as well...
Not to mention a whole lot of other privileges. CREATEROLE is pretty
nearly superuser from a what-can-you-do point of view. It only disables
the ability to actively break the database system (eg by directly
modifying system catalogs).
regards, tom lane