On Wed, Jan 25, 2023 at 07:38:51AM -0700, David G. Johnston wrote:
> On Wed, Jan 25, 2023 at 7:35 AM Bruce Momjian <bruce@momjian.us> wrote:
>
>
> So, how would someone with CREATEROLE permission add people to their own
> role, without superuser permission? Are we adding any security by
> preventing this?
>
>
>
> As an encouraged design choice you wouldn't. You'd create a new group and add
> both yourself and the new role to it - then grant it the desired permissions.
>
> A CREATEROLE role should probably be a user (LOGIN) role and user roles should
> not have members.
Makes sense. I was actually using that pattern, but in running some
test scripts that didn't revert back to the superuser, I saw the errors
and was confused.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Embrace your flaws. They make you human, rather than perfect,
which you will never be.