* Magnus Hagander (magnus@hagander.net) wrote:
> On Wed, Mar 12, 2014 at 3:52 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> > I share your doubts as to how useful such a concept actually is, but
> > it'd work if we had real local users.
>
>
> It can also do interesting things like ALTER SYSTEM, replication, backups,
> etc. All of which could be used to escalate privileges beyond the local
> database.
Probably DROP ROLE for global users too.
> So you'd have to somehow restrict those, at which point what's the point of
> the property in the first place?
We've been asked quite often for a not-quite-superuser, as in, one which
can bypass the normal GRANT-based permission system but which can't do
things like create untrusted functions or do other particularly bad
activities. I can certainly see value in that. Another oft-requested
option is a read-only role which pg_dump or an auditor could use.
Anyway, this is getting a bit far afield from the original discussion,
which looked like it might actually be heading somewhere interesting..
Thanks,
Stephen