>
>
> So, why a role with NOCREATEDB can create a role who can create DB?
>
Cannot answer why but given it is documented as working this way this isn’t
a bug.
“ Be careful with the CREATEROLE privilege. There is no concept of
inheritance for the privileges of a CREATEROLE-role. That means that even
if a role does not have a certain privilege but is allowed to create other
roles, it can easily create another role with different privileges than its
own (except for creating roles with superuser privileges)”
https://www.postgresql.org/docs/12/sql-createrole.html
David J.