Re: CREATE ROLE bug?

From: "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: CREATE ROLE bug?
Date: 2023-01-25 14:38:51
Message-ID: CAKFQuwag6RzTrpdkmzMj9C_nb25EAv8cURARvx+v3NyY=N8dEw@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, Jan 25, 2023 at 7:35 AM Bruce Momjian <bruce(at)momjian(dot)us> wrote:

>
> So, how would someone with CREATEROLE permission add people to their own
> role, without superuser permission? Are we adding any security by
> preventing this?
>
>
As an encouraged design choice you wouldn't. You'd create a new group and
add both yourself and the new role to it - then grant it the desired
permissions.

A CREATEROLE role should probably be a user (LOGIN) role and user roles
should not have members.

David J.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message songjinzhou 2023-01-25 14:39:25 Re: Re: Support plpgsql multi-range in conditional control
Previous Message Bruce Momjian 2023-01-25 14:35:31 Re: CREATE ROLE bug?