On 30/08/2023 03:21 CEST Laurenz Albe <laurenz.albe@xxxxxxxxxxx> wrote:
> I am somewhat surprised too, but it has been like that since commit 8ae0d476a9
> in 2005.
Yeah, unlikely to find out why after 18 years.
> The code is pretty clear about that:
>
> if (superuser == TRI_YES)
> {
> /* Not much point in trying to restrict a superuser */
> createdb = TRI_YES;
> createrole = TRI_YES;
> }
>
> I would say that changing that long standing behavior would cause more harm
> than benefit.
Sure, but it sounds like a reasonable change for a future major release.
> First, as the code says, it doesn't make a lot of difference. And who knows,
> perhaps someone somewhere creates superusers, later changes them to NOSUPERUSER
> and expects CREATEDB and CREATEROLE to be set after that.
Just realized that the bootstrap user has all attributes even though not needed
as a superuser. Maybe that's the reason for createuser's behavior. But why
only CREATEDB and CREATEROLE then?
> If anything, we could add something to the documentation.
Anyway, I prepared a patch for the docs. But I'm not sure if the description
should still read "There is no effective difference between creating users via
this utility and via other methods for accessing the server."
--
ErikFrom 57309068a0c279f06fe85532e45e2a6813f72d32 Mon Sep 17 00:00:00 2001
From: Erik Wienhold <ewie@xxxxxxxxx>
Date: Mon, 4 Sep 2023 02:54:40 +0200
Subject: [PATCH] Document privileges createuser grants to superusers
Commit 8ae0d476a9 added option --superuser to createuser. In contrast
to CREATE ROLE, createuser also grants CREATEDB and CREATEROLE to new
superusers. This commit documents this feature.
---
doc/src/sgml/ref/createuser.sgml | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/doc/src/sgml/ref/createuser.sgml b/doc/src/sgml/ref/createuser.sgml
index 5c34c62342..73c5ae9d77 100644
--- a/doc/src/sgml/ref/createuser.sgml
+++ b/doc/src/sgml/ref/createuser.sgml
@@ -56,6 +56,9 @@ PostgreSQL documentation
<acronym>SQL</acronym> command <link linkend="sql-createrole"><command>CREATE ROLE</command></link>.
There is no effective difference between creating users via
this utility and via other methods for accessing the server.
+ But note that <application>createuser</application> also grants
+ <literal>CREATEDB</literal> and <literal>CREATEROLE</literal>
+ to superusers.
</para>
</refsect1>
@@ -120,7 +123,7 @@ PostgreSQL documentation
<listitem>
<para>
The new user will not be allowed to create databases. This is the
- default.
+ default, except when <option>--superuser</option> is also specified.
</para>
</listitem>
</varlistentry>
@@ -265,7 +268,7 @@ PostgreSQL documentation
<listitem>
<para>
The new user will not be allowed to create new roles. This is the
- default.
+ default, except when <option>--superuser</option> is also specified.
</para>
</listitem>
</varlistentry>
@@ -275,7 +278,8 @@ PostgreSQL documentation
<term><option>--superuser</option></term>
<listitem>
<para>
- The new user will be a superuser.
+ The new user will be a superuser. Also implies <option>--createdb</option>
+ and <option>--createrole</option>.
</para>
</listitem>
</varlistentry>
--
2.42.0
