Re: What happened to the tip "It is good practice to create a role that has the CREATEDB and CREATEROLE privileges..."

Поиск
Список
Период
Сортировка
От Laurenz Albe
Тема Re: What happened to the tip "It is good practice to create a role that has the CREATEDB and CREATEROLE privileges..."
Дата
Msg-id db2c7c3e0c065ca89bb9664b3f6e01cef4f6de8a.camel@cybertec.at
обсуждение исходный текст
Ответ на Re: What happened to the tip "It is good practice to create a role that has the CREATEDB and CREATEROLE privileges..."  (Bryn Llewellyn <bryn@yugabyte.com>)
Ответы Re: What happened to the tip "It is good practice to create a role that has the CREATEDB and CREATEROLE privileges..."  (Bryn Llewellyn <bryn@yugabyte.com>)
Список pgsql-general
Дерево обсуждения 
On Wed, 2023-04-19 at 16:53 -0700, Bryn Llewellyn wrote:
>
> I do see that a role that has "createdb" and "createrole" is pretty powerful because,
> for example, a role with these attributes can use "set role" to become any other non-superuser
> (see the example below).

A user with CREATEROLE can make herself a member of "pg_execute_server_program", which
in turn allows a clever attacker on a normal installation to make herself superuser.

Yours,
Laurenz Albe

В списке pgsql-general по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Re: Question about accessing partitions whose name includes the schema name and a period - is this correct?
Следующее
От: Bryn Llewellyn
Дата:
Сообщение: Re: What happened to the tip "It is good practice to create a role that has the CREATEDB and CREATEROLE privileges..."