Home > mailing lists

Re: Superuser can't revoke role granted by non-superuser - Mailing list pgsql-bugs

From	Alexander Kukushkin
Subject	Re: Superuser can't revoke role granted by non-superuser
Date	January 27 15:22:58
Msg-id	CAFh8B==5bnZ9eT8fRt0onuh4Qag2OSXUGqv3Vx9JASw5=Zw4Eg@mail.gmail.com Whole thread Raw
In response to	Re: Superuser can't revoke role granted by non-superuser (Kirill Reshke <reshkekirill@gmail.com>)
Responses	Re: Superuser can't revoke role granted by non-superuser
List	pgsql-bugs

Tree view

On Mon, 27 Jan 2025 at 10:20, Kirill Reshke <reshkekirill@gmail.com> wrote:

Reproduced this at cf5eb37 (and not on its parent f026c16)
There was some huge refactoring around user.c and particularly
`check_role_grantor` function. I'm trying to comprehend.

I think the fix should look like:

diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 02824c32a49..29948d692b6 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -2342,7 +2342,8 @@ plan_single_revoke(CatCList *memlist, RevokeRoleGrantAction *actions,
authmem_form = (Form_pg_auth_members) GETSTRUCT(authmem_tuple);

if (authmem_form->member == member &&
- authmem_form->grantor == grantor)
+ (authmem_form->grantor == grantor ||
+ grantor == BOOTSTRAP_SUPERUSERID))
{
if ((popt->specified & GRANT_ROLE_SPECIFIED_INHERIT) != 0)
{

I am going to work on the patch and update regression tests accordingly.

Regards,

Alexander Kukushkin

pgsql-bugs by date:

From: Kirill Reshke
Date: 27 January, 15:20:00
Subject: Re: Superuser can't revoke role granted by non-superuser

From: Kirill Reshke
Date: 27 January, 15:37:09
Subject: Re: Superuser can't revoke role granted by non-superuser

Re: Superuser can't revoke role granted by non-superuser - Mailing list pgsql-bugs

Previous

Next