diff options
author | Robert Haas <rhaas@postgresql.org> | 2023-01-10 12:44:30 -0500 |
---|---|---|
committer | Robert Haas <rhaas@postgresql.org> | 2023-01-10 12:44:30 -0500 |
commit | cf5eb37c5ee0cc54c80d95c1695d7fca1f7c68cb (patch) | |
tree | 9b0d157501c5d0aebf1bac2db0fe83e30576440e /doc/src/sgml/ref/alter_role.sgml | |
parent | f026c16a2c5a3ee5d7aa6f85333ec80c905913ba (diff) | |
download | postgresql-cf5eb37c5ee0cc54c80d95c1695d7fca1f7c68cb.tar.gz |
Restrict the privileges of CREATEROLE users.
Previously, CREATEROLE users were permitted to make nearly arbitrary
changes to roles that they didn't create, with certain exceptions,
particularly superuser roles. Instead, allow CREATEROLE users to make such
changes to roles for which they possess ADMIN OPTION, and to
grant membership only in roles for which they possess ADMIN OPTION.
When a CREATEROLE user who is not a superuser creates a role, grant
ADMIN OPTION on the newly-created role to the creator, so that they
can administer roles they create or for which they have been given
privileges.
With these changes, CREATEROLE users still have very significant
powers that unprivileged users do not receive: they can alter, rename,
drop, comment on, change the password for, and change security labels
on roles. However, they can now do these things only for roles for
which they possess appropriate privileges, rather than all
non-superuser roles; moreover, they cannot grant a role such as
pg_execute_server_program unless they themselves possess it.
Patch by me, reviewed by Mark Dilger.
Discussion: https://postgr.es/m/CA+TgmobN59ct+Emmz6ig1Nua2Q-_o=r6DSD98KfU53kctq_kQw@mail.gmail.com
Diffstat (limited to 'doc/src/sgml/ref/alter_role.sgml')
-rw-r--r-- | doc/src/sgml/ref/alter_role.sgml | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml index f5c1264942..43067d3fec 100644 --- a/doc/src/sgml/ref/alter_role.sgml +++ b/doc/src/sgml/ref/alter_role.sgml @@ -73,7 +73,8 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A Roles having <literal>CREATEROLE</literal> privilege can change any of these settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>, and <literal>BYPASSRLS</literal>; but only for non-superuser and - non-replication roles. + non-replication roles for which they have been + granted <literal>ADMIN OPTION</literal>. Ordinary roles can only change their own password. </para> @@ -81,7 +82,7 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A The second variant changes the name of the role. Database superusers can rename any role. Roles having <literal>CREATEROLE</literal> privilege can rename non-superuser - roles. + roles for which they have been granted <literal>ADMIN OPTION</literal>. The current session user cannot be renamed. (Connect as a different user if you need to do that.) Because <literal>MD5</literal>-encrypted passwords use the role name as @@ -116,7 +117,8 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A <para> Superusers can change anyone's session defaults. Roles having <literal>CREATEROLE</literal> privilege can change defaults for non-superuser - roles. Ordinary roles can only set defaults for themselves. + roles for which they have been granted <literal>ADMIN OPTION</literal>. + Ordinary roles can only set defaults for themselves. Certain configuration variables cannot be set this way, or can only be set if a superuser issues the command. Only superusers can change a setting for all roles in all databases. |