Skip site navigation (1) Skip section navigation (2)

superusers are members of all roles?

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: superusers are members of all roles?
Date: 2011-04-06 23:04:42
Message-ID: 4D9CF18A.503@dunslane.net (view raw or flat)
Thread:
Lists: pgsql-hackers
I just hit this, which at least violated my sense of least astonishment, 
if it's not an outright bug:

After creating a role foo, I added to following lines to my (9.0) 
pg_hba.conf:

    local    all +foo           reject
    host     all +foo 0.0.0.0/0 reject

The surprising (to me) consequence was that every superuser was locked 
out of the system. I had not granted them (or anyone) the role, but 
nevertheless these lines took effect.

If this is intended, it should at least be documented. But if it is 
intended then it's ugly anyway, IMNSHO, and we should change it.

cheers

andrew

Responses

pgsql-hackers by date

Next:From: Stephen FrostDate: 2011-04-06 23:54:06
Subject: Re: superusers are members of all roles?
Previous:From: Jeff DavisDate: 2011-04-06 22:39:27
Subject: Re: lowering privs in SECURITY DEFINER function

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group