Bernd Helmle <mailings@oopsware.de> writes:
> --On Dienstag, Juni 05, 2007 16:04:44 +0200 Peter Eisentraut
> <peter_e@gmx.net> wrote:
>> Is it correct that a user with CREATEROLE privilege but without CREATEDB
>> privilege can create a user with *CREATEDB* privilege, thus bypassing his
>> original restrictions?
> I had this issue once, too. CREATEROLE doesn't imply any inheritance from a
> role which gots this privilege, thus you are required to treat such roles
> much the same as superuser. This behavior is documented (well, at least in
> 8.2, haven't looked in 8.1):
This is by design --- the point of CREATEROLE is that you can do
anything you want in the line of account management, without having
all the dangers inherent in being a real superuser. It's not something
you'd give out to people you didn't trust.
regards, tom lane