Skip site navigation (1) Skip section navigation (2)

Re: CREATEROLE, CREATEDB

From: Chander Ganesan <chander(at)otg-nc(dot)com>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: CREATEROLE, CREATEDB
Date: 2007-06-05 19:29:14
Message-ID: 4665B98A.8010801@otg-nc.com (view raw or flat)
Thread:
Lists: pgsql-hackers
Peter Eisentraut wrote:
> Is it correct that a user with CREATEROLE privilege but without CREATEDB 
> privilege can create a user with *CREATEDB* privilege, thus bypassing his 
> original restrictions?  This sequence doesn't look right:
>
> pei=# create user foo1 createrole;
> CREATE ROLE
> pei=# \c - foo1
> You are now connected to database "pei" as user "foo1".
> pei=> create database test;
> ERROR:  permission denied to create database
> pei=> create user foo2 createdb;
> CREATE ROLE
> pei=> \c - foo2
> You are now connected to database "pei" as user "foo2".
> pei=> create database test;
> CREATE DATABASE
>
>   
that's how its documented:
http://www.postgresql.org/docs/8.2/interactive/sql-createrole.html

Be careful with the CREATEROLE privilege. There is no concept of 
inheritance for the privileges of a CREATEROLE-role. That means that 
even if a role does not have a certain privilege but is allowed to 
create other roles, it can easily create another role with different 
privileges than its own (except for creating roles with superuser 
privileges). For example, if the role "user" has the CREATEROLE 
privilege but not the CREATEDB privilege, nonetheless it can create a 
new role with the CREATEDB privilege. Therefore, regard roles that have 
the CREATEROLE privilege as almost-superuser-roles.

-- 
Chander Ganesan
The Open Technology Group
One Copley Parkway, Suite 210
Morrisville, NC  27560
Phone: 877-258-8987/919-463-0999
http://www.otg-nc.com


In response to

pgsql-hackers by date

Next:From: Andrew DunstanDate: 2007-06-05 20:34:05
Subject: more robust log rotation
Previous:From: Andrew HammondDate: 2007-06-05 17:52:39
Subject: Re: Command tags in create/drop scripts

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group