Re: ROLE INHERIT

Tom Lane wrote:

Kenneth Downs <ken@secdat.com> writes: 

Except for the hole.  On a public site that lets users register, we have 
to have  way to let the web server assume the role of somebody who has 
createuser privelege, and that's pretty much the end of the no-root 
policy.  If an exploit could be placed, it could simply go into that 
mode and create a superuser.    

What would be really nice is if you could limit the ability of 
CREATEUSER to grant roles.   

I believe that a role that has CREATEROLE but not SUPERUSER can only
create non-SUPERUSER roles.  Does that help?
		regards, tom lane 

Probably not.  The problem is that a person with createrole can create any role, so by mistake or exploit a user can be given admin access (admin here defined by roles given, not by SUPERUSER flag) to another database by a role that itself is supposed to be a public-only mostly read-only role.