Tom Lane wrote:
Kenneth Downs <ken@secdat.com> writes:
Except for the hole. On a public site that lets users register, we have
to have way to let the web server assume the role of somebody who has
createuser privelege, and that's pretty much the end of the no-root
policy. If an exploit could be placed, it could simply go into that
mode and create a superuser.
What would be really nice is if you could limit the ability of
CREATEUSER to grant roles.
I believe that a role that has CREATEROLE but not SUPERUSER can only
create non-SUPERUSER roles. Does that help?
regards, tom lane
Probably not. The problem is that a person with createrole can create any role, so by mistake or exploit a user can be given admin access (admin here defined by roles given, not by SUPERUSER flag) to another database by a role that itself is supposed to be a public-only mostly read-only role.