Re: CREATE USER and createuser not working the same - Mailing list pgsql-bugs

From Cédric Villemain
Subject Re: CREATE USER and createuser not working the same
Date
Msg-id 200709191029.45560.cedric.villemain@dalibo.com
Whole thread Raw
In response to Re: CREATE USER and createuser not working the same  (Cédric Villemain <cedric.villemain@dalibo.com>)
List pgsql-bugs
Le vendredi 14 septembre 2007, Cédric Villemain a écrit :
> Le jeudi 13 septembre 2007, Tom Lane a écrit :
> > Stéphane Schildknecht
>
> <stephane.schildknecht@postgresqlfr.org> writes:
> > > It seems the shell command createuser and the SQL CREATE USER don't act
> > > the same way,
> >
> > They aren't really claimed to.
>
> But the man say :
> " createuser is a wrapper around the SQL command CREATE ROLE
> [create_role(7)]. There is no effective difference between creating users
> via this utility and via other methods for accessing the server."
>
> > But the difference you point to is
> > irrelevant, since a superuser has createrole and createdb privilege
> > (and every other privilege) independently of what those columns say.
>

The superuser has no createrole and createdb privilege, he has superuser
privilege, which is enought to bypass createrole and createdb privilege.

There where no real answer about that.
What do we do ?

> It is right, but look at this scenario :
>
> CREATE ROLE super SUPERUSER;
> ALTER ROLE super NOSUPERUSER;
>
> No RIGHT to CREATEDB.
>
> If superuser is created using commandline, he can still CREATEDB after the
> same ALTER ROLE
>
> I think there is 2 options:
>
>  - change the manual and keep the actual method.
>  - don't stop asking privilege on createuser (it actually break after 'yes'
> to superuser)
>
> or do nothing...



--
Cédric Villemain
Administrateur de Base de Données
Cel: +33 (0)6 74 15 56 53
http://dalibo.com - http://dalibo.org

pgsql-bugs by date:

Previous
From: "Herouth Maoz"
Date:
Subject: BUG #3616: PgAdminIII crashes on copy operation
Next
From: "Guillaume 'ioguix' de Rorthais"
Date:
Subject: BUG #3619: Renaming sequence does not update its 'sequence_name' field