Home > mailing lists

Re: role self-revocation - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: role self-revocation
Date	March 6, 2022 19:53:49
Msg-id	5984.1646585629@sss.pgh.pa.us Whole thread Raw
In response to	Re: role self-revocation (Robert Haas <robertmhaas@gmail.com>)
Responses	Re: role self-revocation ("David G. Johnston" <david.g.johnston@gmail.com>) Re: role self-revocation (Robert Haas <robertmhaas@gmail.com>)
List	pgsql-hackers

Tree view

Robert Haas <robertmhaas@gmail.com> writes:
> ... Suppose the superuser grants "admin" to both "joe" and "sally".
> Now "joe" can SET ROLE to "admin" and revoke it from "sally", and the
> superuser has no tool to prevent this.

Really?

regression=# grant admin to joe;
GRANT ROLE
regression=# grant admin to sally;
GRANT ROLE
regression=# \c - joe
You are now connected to database "regression" as user "joe".
regression=> revoke admin from sally;
ERROR:  must have admin option on role "admin"
regression=> set role admin;
SET
regression=> revoke admin from sally;
ERROR:  must have admin option on role "admin"

I think there is an issue here around exactly what the admin option
means, but if it doesn't grant you the ability to remove grants
made by other people, it's pretty hard to see what it's for.

            regards, tom lane

pgsql-hackers by date:

From: Joshua Brindle
Date: 06 March 2022, 19:40:11
Subject: Re: role self-revocation

From: Tomas Vondra
Date: 06 March 2022, 20:28:25
Subject: Re: ltree_gist indexes broken after pg_upgrade from 12 to 13

Re: role self-revocation - Mailing list pgsql-hackers

Previous

Next