Bernd Helmle <[EMAIL PROTECTED]> writes:
> --On Dienstag, Juni 05, 2007 16:04:44 +0200 Peter Eisentraut 
> <[EMAIL PROTECTED]> wrote:
>> Is it correct that a user with CREATEROLE privilege but without CREATEDB
>> privilege can create a user with *CREATEDB* privilege, thus bypassing his
>> original restrictions?

> I had this issue once, too. CREATEROLE doesn't imply any inheritance from a 
> role which gots this privilege, thus you are required to treat such roles 
> much the same as superuser. This behavior is documented (well, at least in 
> 8.2, haven't looked in 8.1):

This is by design --- the point of CREATEROLE is that you can do
anything you want in the line of account management, without having
all the dangers inherent in being a real superuser.  It's not something
you'd give out to people you didn't trust.

                        regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Reply via email to