Tom Lane wrote:
> Alvaro Herrera <alvherre@commandprompt.com> writes:
> > However there is an effort to get rid of root in some Unix lands,
> > separating its responsabilities with more granularity. Maybe there
> > could be an effort, not to hand-hold the true superusers, but to
> > delegate some of its responsabilities to other users.
>
> We did that already (see CREATEROLE privilege in 8.1)
Part of it. We can still improve, I think. Not that I have a concrete
proposal to make though.
Regarding CREATEROLE, I wonder why is that a role with that privilege is
able to create other roles containing any privileges (except
superuserness), and not just the privileges the creating role has.
--
Alvaro Herrera http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support