> On Jan 24, 2022, at 2:21 PM, Stephen Frost <sfr...@snowman.net> wrote:
>
> Superuser is a problem specifically because it gives people access to do
> absolutely anything, both for security and safety concerns. Disallowing a way
> to curtail that same risk when it comes to role ownership invites exactly
> those same problems.
Before the patch, users with CREATEROLE can do mischief. After the patch,
users with CREATEROLE can do mischief. The difference is that the mischief
that can be done after the patch is a proper subset of the mischief that can be
done before the patch. (Counter-examples highly welcome.)
Specifically, I claim that before the patch, non-superuser "bob" with
CREATEROLE can interfere with *any* non-superuser. After the patch,
non-superuser "bob" with CREATEROLE can interfere with *some* non-superusers;
specifically, with non-superusers he created himself, or which have had
ownership transferred to him.
Restricting the scope of bob's mischief is a huge win, in my view.
The argument about whether owners should always implicitly inherit privileges
from roles they own is a bit orthogonal to my point about mischief-making. Do
we at least agree on the mischief-abatement aspect of this patch set?
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
