Home > mailing lists

Re: ROLE INHERIT - Mailing list pgsql-general

From	Tom Lane
Subject	Re: ROLE INHERIT
Date	February 16, 2007 12:46:26
Msg-id	11726.1171609108@sss.pgh.pa.us Whole thread Raw
In response to	Re: ROLE INHERIT (Kenneth Downs <ken@secdat.com>)
Responses	Re: ROLE INHERIT (Kenneth Downs <ken@secdat.com>)
List	pgsql-general

Tree view

Kenneth Downs <ken@secdat.com> writes:
> Except for the hole.  On a public site that lets users register, we have
> to have  way to let the web server assume the role of somebody who has
> createuser privelege, and that's pretty much the end of the no-root
> policy.  If an exploit could be placed, it could simply go into that
> mode and create a superuser.

> What would be really nice is if you could limit the ability of
> CREATEUSER to grant roles.

I believe that a role that has CREATEROLE but not SUPERUSER can only
create non-SUPERUSER roles.  Does that help?

            regards, tom lane

pgsql-general by date:

From: vanessa
Date: 16 February 2007, 12:43:00
Subject: Is it possible to compress a table any further?

From: Tom Lane
Date: 16 February 2007, 12:46:39
Subject: Re: Database performance comparison paper.

Re: ROLE INHERIT - Mailing list pgsql-general

Previous

Next