Обсуждение: report bug

Поиск
Список
Период
Сортировка

report bug

От
"断桥烟雨三两月"
Дата:
As is shown,I login as u-mx_3 (CREATEROLE,NOCREATEDB),and I can't create DB;
However,I can create a role with the pri CREATEDB,and it works!!

So, why a role with NOCREATEDB can create a role who can create DB?


Вложения

Re: report bug

От
"David G. Johnston"
Дата:

So, why a role with NOCREATEDB can create a role who can create DB?

Cannot answer why but given it is documented as working this way this isn’t a bug.

“ Be careful with the CREATEROLE privilege. There is no concept of inheritance for the privileges of a CREATEROLE-role. That means that even if a role does not have a certain privilege but is allowed to create other roles, it can easily create another role with different privileges than its own (except for creating roles with superuser privileges)”


David J.

Re: report bug

От
Tom Lane
Дата:
"David G. Johnston" <david.g.johnston@gmail.com> writes:
>> So, why a role with NOCREATEDB can create a role who can create DB?

> Cannot answer why but given it is documented as working this way this isn’t
> a bug.

Yeah, that's deliberate.  CREATEROLE is intended to be sufficient
privilege for all day-to-day user/role administration, so that you
don't have to use a superuser bit for that.  The only restriction
on it is you can't manufacture new superuser roles ... but you
definitely can manufacture roles that have other privileges you
don't have yourself.  In particular, a CREATEROLE role can issue
GRANTs for privileges it doesn't have itself; so the behavior with
respect to CREATEDB isn't different from that.

            regards, tom lane

回复: report bug

От
"断桥烟雨三两月"
Дата:
I got it,thanks


------------------ 原始邮件 ------------------
发件人: "Tom Lane"<tgl@sss.pgh.pa.us>;
发送时间: 2020年4月30日(星期四) 晚上9:47
收件人: "David G. Johnston"<david.g.johnston@gmail.com>;
抄送: "断桥烟雨三两月"<1310659646@qq.com>; "pgsql-bugs"<pgsql-bugs@lists.postgresql.org>;
主题: Re: report bug

"David G. Johnston" <david.g.johnston@gmail.com> writes:
>> So, why a role with NOCREATEDB can create a role who can create DB?

> Cannot answer why but given it is documented as working this way this isn’t
> a bug.

Yeah, that's deliberate.  CREATEROLE is intended to be sufficient
privilege for all day-to-day user/role administration, so that you
don't have to use a superuser bit for that.  The only restriction
on it is you can't manufacture new superuser roles ... but you
definitely can manufacture roles that have other privileges you
don't have yourself.  In particular, a CREATEROLE role can issue
GRANTs for privileges it doesn't have itself; so the behavior with
respect to CREATEDB isn't different from that.

regards, tom lane

.qmbox style, .qmbox script, .qmbox head, .qmbox link, .qmbox meta {display: none !important;}