Home > mailing lists

Re: Superuser can't revoke role granted by non-superuser - Mailing list pgsql-bugs

From	Alexander Kukushkin
Subject	Re: Superuser can't revoke role granted by non-superuser
Date	January 27 16:13:47
Msg-id	CAFh8B=k0dciS9gQjF=KANv5REwe+8XqKLyUTuWfMP7DY8xsJVg@mail.gmail.com Whole thread Raw
In response to	Re: Superuser can't revoke role granted by non-superuser (Kirill Reshke <reshkekirill@gmail.com>)
Responses	Re: Superuser can't revoke role granted by non-superuser
List	pgsql-bugs

Tree view

On Mon, 27 Jan 2025 at 10:37, Kirill Reshke <reshkekirill@gmail.com> wrote:

I doubt this is a correct fix. The difference between cf5eb37 &
f026c16 behaviour is in who granted membership in role 'bb' to role
'aa'. In the case of f026c16 the role is 'b', while after it is
bootstrap superuser. Is this correct? If yes, why should we consider
BOOTSTRAP_SUPERUSERID in this if statement? Maybe there are some other
cases from which this will not guard?

Or... Maybe it is actually working like this by design.

There are UNIQUE constraints on pg_auth_members (member, roleid, grantor) columns.

Therefore function explicitly searching for a tuple with exact match of member and grantor.

Also, REVOKE syntax was extended to support GRANTED BY.

E.g. superuser is supposed to use "revoke bb from aa granted by b"

Regards,

Alexander Kukushkin

pgsql-bugs by date:

From: Julian Wreford
Date: 27 January, 15:45:25
Subject: Re: BUG #18782: Inconsistent behaviour with triggers and row level security - depends on prior number of inserts

From: Tom Lane
Date: 27 January, 20:43:13
Subject: Re: Superuser can't revoke role granted by non-superuser

Re: Superuser can't revoke role granted by non-superuser - Mailing list pgsql-bugs

Previous

Next