Re: Bug #931: bugs "create user" "alter user"

On Thu, 3 Apr 2003 pgsql-bugs(at)postgresql(dot)org wrote:

> techi (snieznik(at)interia(dot)pl) reports a bug with a severity of 2
> The lower the number the more severe it is.

> (FIRST METHOD)
> CREATE USER Michael ; or CREATE DATABASE school ;
> The output is for both commands : PERMISSION DENIED
> and that's ok.
>
> BUT when I as a superuser create a new user called "Paul" with
> command
> (SECOND METHOD)
> CREATE USER Paul WITH NOCREATEDB NOCREATEUSER ;
> The output is CREATE USER .
> and here is a bug .
> When I am logged to psql as a new user techi and I am trying
> to create a database or create user ---- and unfortunatelly
> it is working .
> Paul is allowed to create a new user acount and a new
> database but he couldn't do it !!!!!!!!!!!!!

I'm not sure what you're saying here. Are you saying that paul was
allowed and techi wasn't and both were created the same way?

> ALTER USER Robert WITH CREATEUSER ;
> The output is ok .
> But something goes wrong , the user Rober is also allowed to
> create a database!!!!!!!!!!! he shouldn't do it !!!!!!!

I think createuser implies superuser access currently so nocreatedb is
trumped by that. The man page in current version seems to say that for
ALTER USER (although the text is kind of poor).