Home > mailing lists

Re: Postgres Enhancement Request - Mailing list pgsql-general

From	Thomas Kellerer
Subject	Re: Postgres Enhancement Request
Date	March 20, 2019 13:44:38
Msg-id	49902029-5742-00ba-85bd-fd0ba0b7d5f3@gmx.net Whole thread Raw
In response to	Postgres Enhancement Request ("Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch>)
Responses	AW: Postgres Enhancement Request ("Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch>) Re: Postgres Enhancement Request (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-general

Tree view

Zwettler Markus (OIZ) schrieb am 20.03.2019 um 11:10:
> CREATEROLE allows users to create new roles also having the CREATEDB privilege (at least in version 9.6).
> 
> We want special users to be able to CREATEROLE without being able to CREATEDB (eg. when usermanagement is done by the
applicationitself).
 
> 
> Please prevent users with CREATEROLE to create roles having CREATEDB (analogous SUPERUSER and REPLICATION).

I agree that would be a welcome enhancement. 

As a workaround, you can create a function owned by a superuser (or any other user with the "createrole" privilege)
using"security definer" that provides a simple "create user" capability and makes sure that the created user does not
havethe createdb privilege. 
 

The user/role that should be able to create new roles doesn't need the createrole privilege at all then. 
All it needs is the execute privilege on the function.

Thomas

pgsql-general by date:

From: "Zwettler Markus (OIZ)"
Date: 20 March 2019, 13:10:04
Subject: Postgres Enhancement Request

From: Hendrickx Pablo
Date: 20 March 2019, 14:14:18
Subject: Re: WSL (windows subsystem on linux) users will need to turn fsyncoff as of 11.2

Re: Postgres Enhancement Request - Mailing list pgsql-general

Previous

Next