Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER

Robert Haas <robertmhaas@gmail.com> writes:
> Currently, it's possible to remove the rolissuper bit from the
> bootstrap superuser, but this leaves that user - and the system in
> general - in an odd state. The bootstrap user continues to own all of
> the objects it owned before, e.g. all of the system catalogs. Direct
> DML on system catalogs is blocked by pg_class_aclmask_ext(), but it's
> possible to do things like rename a system function out of the way and
> create a new function with the same signature. Therefore, creating a
> new superuser and making the original one a non-superuser is probably
> not viable from a security perspective, because anyone who gained
> access to that role would likely have little difficulty mounting a
> Trojan horse attack against the current superusers.

True, but what if the idea is to have *no* superusers?  I seem
to recall people being interested in setups like that.

On the whole I don't have any objection to your proposal, I just
worry that somebody else will.

Of course there's always "UPDATE pg_authid SET rolsuper = false",
which makes it absolutely clear that you're breaking the glass cover.

            regards, tom lane