Re: CREATE ROLE bug? - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: CREATE ROLE bug?
Date
Msg-id Y9E+M7FxV5EOCWSF@momjian.us
Whole thread Raw
In response to Re: CREATE ROLE bug?  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: CREATE ROLE bug?
Re: CREATE ROLE bug?
List pgsql-hackers
On Wed, Jan 25, 2023 at 08:47:14AM -0500, Robert Haas wrote:
> > I am not sure if the behavior is wrong, the error message is wrong, or
> > it is working as expected.
> 
> It is indeed related to that discussion and change. In existing
> released branches, a CREATEROLE user can make any role a member of any
> other role even if they have no rights at all with respect to that
> role. This means that a CREATEROLE user can create a new user in the
> pg_execute_server_programs group even though they have no access to
> it. That allows any CREATEROLE user to take over the OS account, and
> thus also superuser. In master, the rules have been tightened up.
> CREATEROLE no longer exempts you from the usual permission checks
> about adding a user to a group. This means that a CREATEROLE user now
> needs the same permissions to add a user to a group as any other user
> would need, i.e. ADMIN OPTION on the group.
> 
> In your example, the "service" user has CREATEROLE and is therefore
> entitled to create new roles. However, "service" can only add those
> new roles to groups for which "service" possesses ADMIN OPTION. And
> "service" does not have ADMIN OPTION on itself, because no role ever
> possesses ADMIN OPTION on itself.

So, how would someone with CREATEROLE permission add people to their own
role, without superuser permission?  Are we adding any security by
preventing this?

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

Embrace your flaws.  They make you human, rather than perfect,
which you will never be.



pgsql-hackers by date:

Previous
From: "Takamichi Osumi (Fujitsu)"
Date:
Subject: RE: Time delayed LR (WAS Re: logical replication restrictions)
Next
From: "David G. Johnston"
Date:
Subject: Re: CREATE ROLE bug?