Bernd Helmle <[EMAIL PROTECTED]> writes:
> --On Dienstag, Juni 05, 2007 16:04:44 +0200 Peter Eisentraut
> <[EMAIL PROTECTED]> wrote:
>> Is it correct that a user with CREATEROLE privilege but without CREATEDB
>> privilege can create a user with *CREATEDB* privilege, thus bypassing his
>> original restrictions?
> I had this issue once, too. CREATEROLE doesn't imply any inheritance from a
> role which gots this privilege, thus you are required to treat such roles
> much the same as superuser. This behavior is documented (well, at least in
> 8.2, haven't looked in 8.1):
This is by design --- the point of CREATEROLE is that you can do
anything you want in the line of account management, without having
all the dangers inherent in being a real superuser. It's not something
you'd give out to people you didn't trust.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend
