Bernd Helmle <[EMAIL PROTECTED]> writes: > --On Dienstag, Juni 05, 2007 16:04:44 +0200 Peter Eisentraut > <[EMAIL PROTECTED]> wrote: >> Is it correct that a user with CREATEROLE privilege but without CREATEDB >> privilege can create a user with *CREATEDB* privilege, thus bypassing his >> original restrictions?
> I had this issue once, too. CREATEROLE doesn't imply any inheritance from a > role which gots this privilege, thus you are required to treat such roles > much the same as superuser. This behavior is documented (well, at least in > 8.2, haven't looked in 8.1): This is by design --- the point of CREATEROLE is that you can do anything you want in the line of account management, without having all the dangers inherent in being a real superuser. It's not something you'd give out to people you didn't trust. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend