>> On Oct 25, 2021, at 10:09 PM, Shinya Kato <Shinya11.Kato@oss.nttdata.com> wrote:
>> Hi! Thank you for the patch.
>> I too think that CREATEROLE escalation attack is problem.
>>
>> I have three comments.
>> 1. Is there a function to check the owner of a role, it would be nice to be able to check with \du or pg_roles view.
>
> No, but that is a good idea.
These two ideas are implemented in v2. Both \du and pg_roles show the owner information.
> The current solution is to run REASSIGN OWNED in each database where the role owns objects before running DROP ROLE.
Atthat point, the CASCADE option (not implemented) won't be needed. Of course, I need to post the next revision of
thispatch set addressing the deficiencies that Nathan pointed out upthread to make that work.
REASSIGN OWNED and ALTER ROLE..OWNER TO now work in v2.
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company