database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-08-27 07:42:10 +03:00
Code Activity

Improve documentation of the CREATEROLE attibute.

Browse Source 
In user-manag.sgml, document precisely what privileges are conveyed
by CREATEROLE. Make particular note of the fact that it allows
changing passwords and granting access to high-privilege roles.
Also remove the suggestion of using a user with CREATEROLE and
CREATEDB instead of a superuser, as there is no real security
advantage to this approach.

Elsewhere in the documentation, adjust text that suggests that
<literal>CREATEROLE</literal> only allows for role creation, and
refer to the documentation in user-manag.sgml as appropriate.

Patch by me, reviewed by Álvaro Herrera

Discussion: http://postgr.es/m/CA+TgmoZBsPL8nPhvYecx7iGo5qpDRqa9k_AcaW1SbOjugAY1Ag@mail.gmail.com
This commit is contained in:
Robert Haas
2023-01-03 14:50:40 -05:00
parent 54afdcd618
commit 1c77873727
4 changed files with 52 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
doc/src/sgml/ref/createuser.sgml
View File

@@ -41,10 +41,14 @@ PostgreSQL documentation
</para>
<para>
If you wish to create a new superuser, you must connect as a
superuser, not merely with <literal>CREATEROLE</literal> privilege.
If you wish to create a role with the <literal>SUPERUSER</literal>,
<literal>REPLICATION</literal>, or <literal>BYPASSRLS</literal> privilege,
you must connect as a superuser, not merely with
<literal>CREATEROLE</literal> privilege.
Being a superuser implies the ability to bypass all access permission
checks within the database, so superuser access should not be granted lightly.
checks within the database, so superuser access should not be granted
lightly. <literal>CREATEROLE</literal> also conveys
<link linkend='role-creation'>very extensive privileges</link>.
</para>
<para>
@@ -247,8 +251,12 @@ PostgreSQL documentation
<term><option>--createrole</option></term>
<listitem>
<para>
The new user will be allowed to create new roles (that is,
this user will have <literal>CREATEROLE</literal> privilege).
The new user will be allowed to create, alter, drop, comment on,
change the security label for, and grant or revoke membership in
other roles; that is,
this user will have <literal>CREATEROLE</literal> privilege.
See <xref linkend='role-creation' /> for more details about what
capabilities are conferred by this privilege.
</para>
</listitem>
</varlistentry>