Re: report bug - Mailing list pgsql-bugs

From Tom Lane
Subject Re: report bug
Date
Msg-id 20119.1588254422@sss.pgh.pa.us
Whole thread Raw
In response to Re: report bug  ("David G. Johnston" <david.g.johnston@gmail.com>)
Responses 回复: report bug
List pgsql-bugs
"David G. Johnston" <david.g.johnston@gmail.com> writes:
>> So, why a role with NOCREATEDB can create a role who can create DB?

> Cannot answer why but given it is documented as working this way this isn’t
> a bug.

Yeah, that's deliberate.  CREATEROLE is intended to be sufficient
privilege for all day-to-day user/role administration, so that you
don't have to use a superuser bit for that.  The only restriction
on it is you can't manufacture new superuser roles ... but you
definitely can manufacture roles that have other privileges you
don't have yourself.  In particular, a CREATEROLE role can issue
GRANTs for privileges it doesn't have itself; so the behavior with
respect to CREATEDB isn't different from that.

            regards, tom lane



pgsql-bugs by date:

Previous
From: "David G. Johnston"
Date:
Subject: Re: report bug
Next
From: Tom Lane
Date:
Subject: Re: BUG #16403: set_bit function does not have expected effect