On Mon, Oct 4, 2021 at 10:57 PM Stephen Frost <sfr...@snowman.net> wrote: > - Disallow roles from being able to REVOKE role membership that they > didn't GRANT in the first place.
I think that's not quite the right test. For example, if alice and bob are superusers and alice grants pg_monitor to doug, bob should be able to revoke that grant even though he is not alice. I think the rule should be: roles shouldn't be able to REVOKE role memberships unless they can become the grantor. But I think maybe if it should even be more general than that and apply to all sorts of grants, rather than just roles and role memberships: roles shouldn't be able to REVOKE any granted permission unless they can become the grantor. For example, if bob grants SELECT on one of his tables to alice, he should be able to revoke the grant, too. But if the superuser performs the grant, why should bob be able to revoke it? The superuser has spoken, and bob shouldn't get to interfere ... unless of course he's also a superuser. -- Robert Haas EDB: http://www.enterprisedb.com
