Re: Superuser can't revoke role granted by non-superuser
| От | Kirill Reshke |
|---|---|
| Тема | Re: Superuser can't revoke role granted by non-superuser |
| Дата | |
| Msg-id | CALdSSPjrXoUM3VJ-o_H6NEhGXvqDR3jf8VohpMxy1J2hfYDo1w@mail.gmail.com обсуждение исходный текст |
| Ответ на | Superuser can't revoke role granted by non-superuser (Alexander Kukushkin <cyberdemn@gmail.com>) |
| Ответы |
Re: Superuser can't revoke role granted by non-superuser
|
| Список | pgsql-bugs |
On Mon, 27 Jan 2025 at 13:49, Alexander Kukushkin <cyberdemn@gmail.com> wrote: > > Hi, > > Here is a self-contained example with 17.2, however I assume that 16 and master will exhibit similar behaviour. > > postgres=# create user a with createrole; > CREATE ROLE > postgres=# create user b with createrole; > CREATE ROLE > postgres=# set role a; > SET > postgres=> create user aa; > CREATE ROLE > postgres=> set role b; > SET > postgres=> create user bb; > CREATE ROLE > postgres=> grant bb to aa; > GRANT ROLE > postgres=> \drg > List of role grants > Role name | Member of | Options | Grantor > -----------+-----------+--------------+---------- > a | aa | ADMIN | postgres > aa | bb | INHERIT, SET | b > b | bb | ADMIN | postgres > (3 rows) > > postgres=> reset role; > RESET > postgres=# revoke bb from aa; > WARNING: role "aa" has not been granted membership in role "bb" by role "postgres" > REVOKE ROLE > postgres=# \drg > List of role grants > Role name | Member of | Options | Grantor > -----------+-----------+--------------+---------- > a | aa | ADMIN | postgres > aa | bb | INHERIT, SET | b > b | bb | ADMIN | postgres > (3 rows) > > IMO, superusers should be able to revoke privileges it didn't grant. > > Regards, > -- > Alexander Kukushkin Reproduced this at cf5eb37 (and not on its parent f026c16) There was some huge refactoring around user.c and particularly `check_role_grantor` function. I'm trying to comprehend. -- Best regards, Kirill Reshke
В списке pgsql-bugs по дате отправления: