From b35440eae8a3dddf6e0dcff6879941d5995f084a Mon Sep 17 00:00:00 2001 From: Bruce Momjian Date: Fri, 3 Mar 2006 03:06:05 +0000 Subject: [PATCH] Appended is a small documentation patch that adds a note to the CREATE ROLE page, based on what Tom Lane told me here: http://archives.postgresql.org/pgsql-general/2005-11/msg00998.php Joachim Wieland --- doc/src/sgml/ref/create_role.sgml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml index 60dce9b298..e25f07f570 100644 --- a/doc/src/sgml/ref/create_role.sgml +++ b/doc/src/sgml/ref/create_role.sgml @@ -1,5 +1,5 @@ @@ -347,6 +347,19 @@ where option can be: specified in the SQL standard. + + Be careful with the CREATEROLE privilege. There is no concept of + inheritance for the privileges of a CREATEROLE-role. That + means that even if a role does not have a certain privilege but is allowed + to create other roles, it can easily create another role with different + privileges than its own (except for creating roles with superuser + privileges). For example, if the role user has the + CREATEROLE privilege but not the CREATEDB privilege, + nonetheless it can create a new role with the CREATEDB + privilege. Therefore, regard roles that have the CREATEROLE + privilege as almost-superuser-roles. + + PostgreSQL includes a program that has