Re: BUG #13694: Row Level Security by-passed with CREATEUSER permission

On 10/21/2015 09:42 AM, justin.catterson@sofiebio.com wrote:
> The following bug has been logged on the website:
>=20
> Bug reference:      13694
> Logged by:          Justin Catterson
> Email address:      justin.catterson@sofiebio.com
> PostgreSQL version: 9.5beta1
> Operating system:   Ubuntu 14.10 x64
> Description:       =20
>=20
> Users with the CREATEUSER permission do not evaluate Row Level Security=

> functions.  pg_user usebypassrls is set to false.

Not a bug. See
 http://www.postgresql.org/docs/9.5/static/sql-createrole.html

"CREATEUSER
NOCREATEUSER

    These clauses are an obsolete, but still accepted, spelling of
SUPERUSER and NOSUPERUSER. Note that they are not equivalent to
CREATEROLE as one might naively expect!"

And:
 http://www.postgresql.org/docs/9.5/static/ddl-rowsecurity.html

"Table owners, superusers, and roles with the BYPASSRLS attribute bypass
the row security system when querying a table."

HTH,

Joe

--=20
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development