Thread: Create role question

Create role question

From

Joachim Wieland

Date:

20 November 2005, 13:20:41

Hi, I wonder if the following behavior is intentional or not:

template1=# create role r1 nocreatedb createrole;
CREATE ROLE
template1=# set role r1;
SET
template1=> create role r2 createdb;
CREATE ROLE
template1=> set role r2;
SET
template1=> create database d1;
CREATE DATABASE

So in effect, if you grant the CREATEROLE privilege, you automatically grant
CREATEDB as well... I haven't found a clear statement about that in the
documentation, but if it is intentional, the description of the CREATEROLE
privilege should contain a note about that.

One (or I at least) would have suspected that a role can only create other
roles with privileges it has been granted itself..


Joachim

Re: Create role question

From

Tom Lane

Date:

20 November 2005, 15:53:25

Joachim Wieland <joe@mcknight.de> writes:
> So in effect, if you grant the CREATEROLE privilege, you automatically grant
> CREATEDB as well...

Not to mention a whole lot of other privileges.  CREATEROLE is pretty
nearly superuser from a what-can-you-do point of view.  It only disables
the ability to actively break the database system (eg by directly
modifying system catalogs).

            regards, tom lane