Hi Markus,
Please see comment at the bottonm of this email!
On 21/03/2019 05:36, Zwettler Markus (OIZ) wrote:
Yes, that would be totally ok. Like the "with [grant|admin] option" privilege model in SQL. It should be done with all these predefined top-level database roles like CREATEROLE.
It's doesn't only seem bogus but also a security hole when users can get privileges they have never been granted.
Markus
[...]
A way of indicating content has been omitted!
In ancient times, early 1990's '[ omitted ]' was used, but I started
the trend of using '[...]'.
Hmm. Thinking about it a bit more carefully, it does seem bogus that a role that has CREATEROLE but not CREATEDB can make a role that has the latter privilege. It would be more sensible to have a uniform rule that "you can't grant a privilege you don't have yourself", which would mean that the OP's problem could perhaps be solved by making a role that has CREATEROLE but not CREATEDB.
You could imagine going further and applying the full SQL privilege model to these things, which would make it possible to have a role that has CREATEDB (so can make DBs itself) but can't pass that privilege on to others for lack of grant options on CREATEDB.
But that would be a very much bigger chunk of work, and I'm not sure I see the payback.
regards, tom lane
In the postgres groups, please bottom post, as that is the convention here.
Bottom posting makes it easier to follow what is happening.
You can also intersperse comments an omit chunks that are no longer
relevant.
Thanks,
Gavin
