Skip site navigation (1) Skip section navigation (2)

Re: CREATEROLE, CREATEDB

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Bernd Helmle <mailings(at)oopsware(dot)de>
Cc: Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: CREATEROLE, CREATEDB
Date: 2007-06-05 15:47:48
Message-ID: 17839.1181058468@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
Bernd Helmle <mailings(at)oopsware(dot)de> writes:
> --On Dienstag, Juni 05, 2007 16:04:44 +0200 Peter Eisentraut 
> <peter_e(at)gmx(dot)net> wrote:
>> Is it correct that a user with CREATEROLE privilege but without CREATEDB
>> privilege can create a user with *CREATEDB* privilege, thus bypassing his
>> original restrictions?

> I had this issue once, too. CREATEROLE doesn't imply any inheritance from a 
> role which gots this privilege, thus you are required to treat such roles 
> much the same as superuser. This behavior is documented (well, at least in 
> 8.2, haven't looked in 8.1):

This is by design --- the point of CREATEROLE is that you can do
anything you want in the line of account management, without having
all the dangers inherent in being a real superuser.  It's not something
you'd give out to people you didn't trust.

			regards, tom lane

In response to

pgsql-hackers by date

Next:From: Zdenek KotalaDate: 2007-06-05 16:05:28
Subject: Re: Command tags in create/drop scripts
Previous:From: Tom LaneDate: 2007-06-05 15:30:37
Subject: Re: libpq and Binary Data Formats

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group