Christopher Kings-Lynne <chriskl@familyhealth.com.au> writes:
> 1. Should we only allow users who currently hold the catalog perm to grant
> it to others? I think yes, since otherwise a regular superuser can create
> themselves another account with the catalog priv.
That brings up the whole business of just how super is a superuser,
and does it even make sense to try to design a "not quite superuser"
protection state. I'm not convinced that the usecatupd flag is so well
thought out that we should expose it for general use without some
consideration of alternative designs.
As an example, it might make more sense to create a separate flag bit
that simply grants the ability to add and delete users (non-superusers,
presumably), with none of the other attributes of a superuser. If I
recall your original concern properly, this would be a safer facility
for what you wanted to accomplish.
> 3. Upgrading from previous postgres will not give their old superusers
> back their catalog privilege, unless they dump with 7.5's pg_dump.
Only if you make it default to NOCATALOG, which is highly debatable in
my mind, since it is non-backwards-compatible.
regards, tom lane
