Re: CREATEROLE, CREATEDB

Peter Eisentraut wrote:
> Is it correct that a user with CREATEROLE privilege but without CREATEDB 
> privilege can create a user with *CREATEDB* privilege, thus bypassing his 
> original restrictions?  This sequence doesn't look right:
>
> pei=# create user foo1 createrole;
> CREATE ROLE
> pei=# \c - foo1
> You are now connected to database "pei" as user "foo1".
> pei=> create database test;
> ERROR:  permission denied to create database
> pei=> create user foo2 createdb;
> CREATE ROLE
> pei=> \c - foo2
> You are now connected to database "pei" as user "foo2".
> pei=> create database test;
> CREATE DATABASE
>
>   
that's how its documented:
http://www.postgresql.org/docs/8.2/interactive/sql-createrole.html

Be careful with the CREATEROLE privilege. There is no concept of 
inheritance for the privileges of a CREATEROLE-role. That means that 
even if a role does not have a certain privilege but is allowed to 
create other roles, it can easily create another role with different 
privileges than its own (except for creating roles with superuser 
privileges). For example, if the role "user" has the CREATEROLE 
privilege but not the CREATEDB privilege, nonetheless it can create a 
new role with the CREATEDB privilege. Therefore, regard roles that have 
the CREATEROLE privilege as almost-superuser-roles.

-- 
Chander Ganesan
The Open Technology Group
One Copley Parkway, Suite 210
Morrisville, NC  27560
Phone: 877-258-8987/919-463-0999
http://www.otg-nc.com