"Jim C. Nasby" <jnasby@pervasive.com> writes:
> My original point was that if you don't have permission to do something,
> you shouldn't be able to grant permissions to do it. This applies to all
> the permissions, not just superuser (though that one's obviously the
> most dangerous). Granted, at this point I think the only permission this
> would really matter on (other than SUPERUSER/CREATEUSER) is CREATEDB,
> but that will probably change if more privleges are added. It seems we
> should set the standard now that if you don't have a permission you
> can't grant it, rather than wait 'til later.
I'm not convinced. It seems reasonable to say that you can't grant
CREATEDB if you don't have it, but that's only because it's hard to
imagine why anyone would make a role that's CREATEROLE and not CREATEDB.
But, for example, we allow a CREATEROLE role to grant and revoke role
memberships without itself being an admin of those roles.
Basically the point of CREATEROLE is to be a safer kind of superuser:
you can do what you like with respect to creating and dropping and
altering users and groups (other than superusers), but you don't have
permission to, say, "DELETE FROM pg_proc". If we restrict CREATEROLE
to not have any privileges that an ordinary user wouldn't have except
the ability to create users, then we'll be back at square one in the
sense that lots of common administrative situations will require
superuser privilege.
It's quite likely that we don't have CREATEROLE fully done yet, and
that it still needs some more tweaks that we haven't thought of.
But I don't think I buy the premise that it ought to be confined to
creating users with no other special privileges. If we do that,
we'll just have to re-invent the limited-superuser facility under
a different name, because there's a serious need for that.
regards, tom lane