On Wed, Jan 25, 2023 at 08:47:14AM -0500, Robert Haas wrote: > > I am not sure if the behavior is wrong, the error message is wrong, or > > it is working as expected. > > It is indeed related to that discussion and change. In existing > released branches, a CREATEROLE user can make any role a member of any > other role even if they have no rights at all with respect to that > role. This means that a CREATEROLE user can create a new user in the > pg_execute_server_programs group even though they have no access to > it. That allows any CREATEROLE user to take over the OS account, and > thus also superuser. In master, the rules have been tightened up. > CREATEROLE no longer exempts you from the usual permission checks > about adding a user to a group. This means that a CREATEROLE user now > needs the same permissions to add a user to a group as any other user > would need, i.e. ADMIN OPTION on the group. > > In your example, the "service" user has CREATEROLE and is therefore > entitled to create new roles. However, "service" can only add those > new roles to groups for which "service" possesses ADMIN OPTION. And > "service" does not have ADMIN OPTION on itself, because no role ever > possesses ADMIN OPTION on itself.
So, how would someone with CREATEROLE permission add people to their own role, without superuser permission? Are we adding any security by preventing this? -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com Embrace your flaws. They make you human, rather than perfect, which you will never be.
