Re: CREATE USER and pg_user

On Mon, Aug 22, 2005 at 09:19:46PM -0400, Tom Lane wrote:
> "Jim Nasby" <jnasby@pervasive.com> writes:
> > Yes, but it doesn't really specify if you have to have a privilege in order to grant it, although reading one of
thenotes[1] tends to indicate that you must have a role in order to grant it. Unless I'm overlooking some part of the
docs?
> 
> It says
> 
>     You must yourself be a superuser to create a new superuser.

Sorry, I guess we're talking past each other.

My original point was that if you don't have permission to do something,
you shouldn't be able to grant permissions to do it. This applies to all
the permissions, not just superuser (though that one's obviously the
most dangerous). Granted, at this point I think the only permission this
would really matter on (other than SUPERUSER/CREATEUSER) is CREATEDB,
but that will probably change if more privleges are added. It seems we
should set the standard now that if you don't have a permission you
can't grant it, rather than wait 'til later.
-- 
Jim C. Nasby, Sr. Engineering Consultant      jnasby@pervasive.com
Pervasive Software        http://pervasive.com        512-569-9461