superusers are members of all roles?

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: superusers are members of all roles?
Date: 2011-04-06 23:04:42
Message-ID: 4D9CF18A.503@dunslane.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers


I just hit this, which at least violated my sense of least astonishment,
if it's not an outright bug:

After creating a role foo, I added to following lines to my (9.0)
pg_hba.conf:

local all +foo reject
host all +foo 0.0.0.0/0 reject

The surprising (to me) consequence was that every superuser was locked
out of the system. I had not granted them (or anyone) the role, but
nevertheless these lines took effect.

If this is intended, it should at least be documented. But if it is
intended then it's ugly anyway, IMNSHO, and we should change it.

cheers

andrew

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2011-04-06 23:54:06 Re: superusers are members of all roles?
Previous Message Jeff Davis 2011-04-06 22:39:27 Re: lowering privs in SECURITY DEFINER function