Kenneth Downs <ken@secdat.com> writes:
> Except for the hole. On a public site that lets users register, we have
> to have way to let the web server assume the role of somebody who has
> createuser privelege, and that's pretty much the end of the no-root
> policy. If an exploit could be placed, it could simply go into that
> mode and create a superuser.
> What would be really nice is if you could limit the ability of
> CREATEUSER to grant roles.
I believe that a role that has CREATEROLE but not SUPERUSER can only
create non-SUPERUSER roles. Does that help?
regards, tom lane