Home > mailing lists

Re: What happened to the tip "It is good practice to create a role that has the CREATEDB and CREATEROLE privileges..." - Mailing list pgsql-general

From	Laurenz Albe
Subject	Re: What happened to the tip "It is good practice to create a role that has the CREATEDB and CREATEROLE privileges..."
Date	April 20, 2023 10:11:31
Msg-id	db2c7c3e0c065ca89bb9664b3f6e01cef4f6de8a.camel@cybertec.at Whole thread Raw
In response to	Re: What happened to the tip "It is good practice to create a role that has the CREATEDB and CREATEROLE privileges..." (Bryn Llewellyn <bryn@yugabyte.com>)
Responses	Re: What happened to the tip "It is good practice to create a role that has the CREATEDB and CREATEROLE privileges..."
List	pgsql-general

Tree view

On Wed, 2023-04-19 at 16:53 -0700, Bryn Llewellyn wrote:
>
> I do see that a role that has "createdb" and "createrole" is pretty powerful because,
> for example, a role with these attributes can use "set role" to become any other non-superuser
> (see the example below).

A user with CREATEROLE can make herself a member of "pg_execute_server_program", which
in turn allows a clever attacker on a normal installation to make herself superuser.

Yours,
Laurenz Albe

pgsql-general by date:

From: Tom Lane
Date: 20 April 2023, 07:03:34
Subject: Re: Question about accessing partitions whose name includes the schema name and a period - is this correct?

From: Bryn Llewellyn
Date: 20 April 2023, 19:17:49
Subject: Re: What happened to the tip "It is good practice to create a role that has the CREATEDB and CREATEROLE privileges..."

Re: What happened to the tip "It is good practice to create a role that has the CREATEDB and CREATEROLE privileges..." - Mailing list pgsql-general

Previous

Next