Re: CREATE ROLE bug? - Mailing list pgsql-hackers

From David G. Johnston
Subject Re: CREATE ROLE bug?
Date
Msg-id CAKFQuwag6RzTrpdkmzMj9C_nb25EAv8cURARvx+v3NyY=N8dEw@mail.gmail.com
Whole thread Raw
In response to Re: CREATE ROLE bug?  (Bruce Momjian <bruce@momjian.us>)
Responses Re: CREATE ROLE bug?
List pgsql-hackers
On Wed, Jan 25, 2023 at 7:35 AM Bruce Momjian <bruce@momjian.us> wrote:

So, how would someone with CREATEROLE permission add people to their own
role, without superuser permission?  Are we adding any security by
preventing this?


As an encouraged design choice you wouldn't.  You'd create a new group and add both yourself and the new role to it - then grant it the desired permissions.

A CREATEROLE role should probably be a user (LOGIN) role and user roles should not have members.

David J.

pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: CREATE ROLE bug?
Next
From: songjinzhou
Date:
Subject: Re: Re: Support plpgsql multi-range in conditional control