Re: CREATE ROLE bug?
| От | Bruce Momjian |
|---|---|
| Тема | Re: CREATE ROLE bug? |
| Дата | |
| Msg-id | Y9FNgnfW7u8teYJ9@momjian.us обсуждение исходный текст |
| Ответ на | Re: CREATE ROLE bug? ("David G. Johnston" <david.g.johnston@gmail.com>) |
| Список | pgsql-hackers |
On Wed, Jan 25, 2023 at 07:38:51AM -0700, David G. Johnston wrote: > On Wed, Jan 25, 2023 at 7:35 AM Bruce Momjian <bruce@momjian.us> wrote: > > > So, how would someone with CREATEROLE permission add people to their own > role, without superuser permission? Are we adding any security by > preventing this? > > > > As an encouraged design choice you wouldn't. You'd create a new group and add > both yourself and the new role to it - then grant it the desired permissions. > > A CREATEROLE role should probably be a user (LOGIN) role and user roles should > not have members. Makes sense. I was actually using that pattern, but in running some test scripts that didn't revert back to the superuser, I saw the errors and was confused. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Embrace your flaws. They make you human, rather than perfect, which you will never be.
В списке pgsql-hackers по дате отправления: