Re: CREATE USER and createuser not working the same

Le vendredi 14 septembre 2007, Cédric Villemain a écrit :
> Le jeudi 13 septembre 2007, Tom Lane a écrit :
> > =?ISO-8859-1?Q?St=E9phane_Schildknecht?=
>
> <stephane(dot)schildknecht(at)postgresqlfr(dot)org> writes:
> > > It seems the shell command createuser and the SQL CREATE USER don't act
> > > the same way,
> >
> > They aren't really claimed to.
>
> But the man say :
> " createuser is a wrapper around the SQL command CREATE ROLE
> [create_role(7)]. There is no effective difference between creating users
> via this utility and via other methods for accessing the server."
>
> > But the difference you point to is
> > irrelevant, since a superuser has createrole and createdb privilege
> > (and every other privilege) independently of what those columns say.
>

The superuser has no createrole and createdb privilege, he has superuser
privilege, which is enought to bypass createrole and createdb privilege.

There where no real answer about that.
What do we do ?

> It is right, but look at this scenario :
>
> CREATE ROLE super SUPERUSER;
> ALTER ROLE super NOSUPERUSER;
>
> No RIGHT to CREATEDB.
>
> If superuser is created using commandline, he can still CREATEDB after the
> same ALTER ROLE
>
> I think there is 2 options:
>
> - change the manual and keep the actual method.
> - don't stop asking privilege on createuser (it actually break after 'yes'
> to superuser)
>
> or do nothing...

--
Cédric Villemain
Administrateur de Base de Données
Cel: +33 (0)6 74 15 56 53
http://dalibo.com - http://dalibo.org