On Wed, Jan 25, 2023 at 08:47:14AM -0500, Robert Haas wrote:
> > I am not sure if the behavior is wrong, the error message is wrong, or
> > it is working as expected.
>
> It is indeed related to that discussion and change. In existing
> released branches, a CREATEROLE user can make any role a member of any
> other role even if they have no rights at all with respect to that
> role. This means that a CREATEROLE user can create a new user in the
> pg_execute_server_programs group even though they have no access to
> it. That allows any CREATEROLE user to take over the OS account, and
> thus also superuser. In master, the rules have been tightened up.
> CREATEROLE no longer exempts you from the usual permission checks
> about adding a user to a group. This means that a CREATEROLE user now
> needs the same permissions to add a user to a group as any other user
> would need, i.e. ADMIN OPTION on the group.
>
> In your example, the "service" user has CREATEROLE and is therefore
> entitled to create new roles. However, "service" can only add those
> new roles to groups for which "service" possesses ADMIN OPTION. And
> "service" does not have ADMIN OPTION on itself, because no role ever
> possesses ADMIN OPTION on itself.
So, how would someone with CREATEROLE permission add people to their own
role, without superuser permission? Are we adding any security by
preventing this?
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Embrace your flaws. They make you human, rather than perfect,
which you will never be.