> On 3 Nov 2021, at 23:18, Tom Lane <t...@sss.pgh.pa.us> wrote: > I'm generally pretty down on IF NOT EXISTS semantics in all cases, > but it seems particularly dangerous for something as fundamental > to privilege checks as a role. It's not hard at all to conjure up > scenarios in which this permits privilege escalation. That is, > Alice wants to create role Bob and give it some privileges, but > she's lazy and writes a quick-and-dirty script using CREATE ROLE > IF NOT EXISTS. Meanwhile Charlie sneaks in and creates Bob first, > and then grants it to himself. Now Alice's script is giving away > all sorts of privilege to Charlie. (Admittedly, Charlie must have > CREATEROLE privilege already, but that doesn't mean he has every > privilege that Alice has --- especially not as we continue working > to slice the superuser salami ever more finely.)
I agree with this take, I don't think the convenience outweighs the risk in this case. -- Daniel Gustafsson https://vmware.com/
