diff -cr cvs/pgsql/doc/src/sgml/ref/create_role.sgml cvs.doc/pgsql/doc/src/sgml/ref/create_role.sgml
*** cvs/pgsql/doc/src/sgml/ref/create_role.sgml 2005-11-20 13:42:46.000000000 +0100
--- cvs.doc/pgsql/doc/src/sgml/ref/create_role.sgml 2005-12-09 11:52:24.000000000 +0100
***************
*** 345,350 ****
--- 345,363 ----
+ Be careful with the CREATEROLE> privilege. There is no concept of
+ inheritance for the privileges of a CREATEROLE>-role. That
+ means that even if a role does not have a certain privilege but is allowed
+ to create other roles, it can easily create another role with different
+ privileges than its own (except for creating roles with superuser
+ privileges). For example, if the role user> has the
+ CREATEROLE> privilege but not the CREATEDB> privilege,
+ nonetheless it can create a new role with the CREATEDB>
+ privilege. Therefore, regard roles that have the CREATEROLE>
+ privilege as almost-superuser-roles.
+
+
+
PostgreSQL includes a program that has
the same functionality as CREATE ROLE (in fact,