Appended is a small documentation patch that adds a note to the CREATE ROLE page, based on what Tom Lane told me here:
http://archives.postgresql.org/pgsql-general/2005-11/msg00998.php I think this behavior should be explicitly noted in the docs. Joachim
diff -cr cvs/pgsql/doc/src/sgml/ref/create_role.sgml cvs.doc/pgsql/doc/src/sgml/ref/create_role.sgml *** cvs/pgsql/doc/src/sgml/ref/create_role.sgml 2005-11-20 13:42:46.000000000 +0100 --- cvs.doc/pgsql/doc/src/sgml/ref/create_role.sgml 2005-12-09 11:52:24.000000000 +0100 *************** *** 345,350 **** --- 345,363 ---- </para> <para> + Be careful with the <literal>CREATEROLE</> privilege. There is no concept of + inheritance for the privileges of a <literal>CREATEROLE</>-role. That + means that even if a role does not have a certain privilege but is allowed + to create other roles, it can easily create another role with different + privileges than its own (except for creating roles with superuser + privileges). For example, if the role <quote>user</> has the + <literal>CREATEROLE</> privilege but not the <literal>CREATEDB</> privilege, + nonetheless it can create a new role with the <literal>CREATEDB</> + privilege. Therefore, regard roles that have the <literal>CREATEROLE</> + privilege as almost-superuser-roles. + </para> + + <para> <productname>PostgreSQL</productname> includes a program <xref linkend="APP-CREATEUSER" endterm="APP-CREATEUSER-title"> that has the same functionality as <command>CREATE ROLE</command> (in fact,
---------------------------(end of broadcast)--------------------------- TIP 4: Have you searched our list archives? http://archives.postgresql.org