Create role question

Started by Joachim Wielandover 20 years ago2 messagesgeneral

joe@mcknight.de

over 20 years ago

Hi, I wonder if the following behavior is intentional or not:

template1=# create role r1 nocreatedb createrole;
CREATE ROLE
template1=# set role r1;
SET
template1=> create role r2 createdb;
CREATE ROLE
template1=> set role r2;
SET
template1=> create database d1;
CREATE DATABASE

So in effect, if you grant the CREATEROLE privilege, you automatically grant
CREATEDB as well... I haven't found a clear statement about that in the
documentation, but if it is intentional, the description of the CREATEROLE
privilege should contain a note about that.

One (or I at least) would have suspected that a role can only create other
roles with privileges it has been granted itself..

Joachim

Tom Lane

tgl@sss.pgh.pa.us

over 20 years ago

In reply to: Joachim Wieland (#1)

Re: Create role question

Joachim Wieland <joe@mcknight.de> writes:

So in effect, if you grant the CREATEROLE privilege, you automatically grant
CREATEDB as well...

Not to mention a whole lot of other privileges. CREATEROLE is pretty
nearly superuser from a what-can-you-do point of view. It only disables
the ability to actively break the database system (eg by directly
modifying system catalogs).

regards, tom lane