Restrict the privileges of CREATEROLE users.

Previously, CREATEROLE users were permitted to make nearly arbitrary changes to roles that they didn't create, with certain exceptions, particularly superuser roles. Instead, allow CREATEROLE users to make such changes to roles for which they possess ADMIN OPTION, and to grant membership only in roles for which they possess ADMIN OPTION. When a CREATEROLE user who is not a superuser creates a role, grant ADMIN OPTION on the newly-created role to the creator, so that they can administer roles they create or for which they have been given privileges. With these changes, CREATEROLE users still have very significant powers that unprivileged users do not receive: they can alter, rename, drop, comment on, change the password for, and change security labels on roles. However, they can now do these things only for roles for which they possess appropriate privileges, rather than all non-superuser roles; moreover, they cannot grant a role such as pg_execute_server_program unless they themselves possess it. Patch by me, reviewed by Mark Dilger. Discussion: https://postgr.es/m/CA+TgmobN59ct+Emmz6ig1Nua2Q-_o=r6DSD98KfU53kctq_kQw@mail.gmail.com
2025-12-22 17:42:17 +03:00 · 2023-01-10 12:44:30 -05:00
parent f026c16a2c
commit cf5eb37c5e
15 changed files with 210 additions and 106 deletions
--- a/doc/src/sgml/ref/alter_role.sgml
+++ b/doc/src/sgml/ref/alter_role.sgml
@@ -73,7 +73,8 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
   Roles having <literal>CREATEROLE</literal> privilege can change any of these
   settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>,
   and <literal>BYPASSRLS</literal>; but only for non-superuser and
-   non-replication roles.
+   non-replication roles for which they have been
+   granted <literal>ADMIN OPTION</literal>.
   Ordinary roles can only change their own password.
  </para>

@@ -81,7 +82,7 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
   The second variant changes the name of the role.
   Database superusers can rename any role.
   Roles having <literal>CREATEROLE</literal> privilege can rename non-superuser
-   roles.
+   roles for which they have been granted <literal>ADMIN OPTION</literal>.
   The current session user cannot be renamed.
   (Connect as a different user if you need to do that.)
   Because <literal>MD5</literal>-encrypted passwords use the role name as
@@ -116,7 +117,8 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
  <para>
   Superusers can change anyone's session defaults. Roles having
   <literal>CREATEROLE</literal> privilege can change defaults for non-superuser
-   roles. Ordinary roles can only set defaults for themselves.
+   roles for which they have been granted <literal>ADMIN OPTION</literal>.
+   Ordinary roles can only set defaults for themselves.
   Certain configuration variables cannot be set this way, or can only be
   set if a superuser issues the command.  Only superusers can change a setting
   for all roles in all databases.
--- a/doc/src/sgml/ref/comment.sgml
+++ b/doc/src/sgml/ref/comment.sgml
@@ -99,7 +99,8 @@ COMMENT ON
   For most kinds of object, only the object's owner can set the comment.
   Roles don't have owners, so the rule for <literal>COMMENT ON ROLE</literal> is
   that you must be superuser to comment on a superuser role, or have the
-   <literal>CREATEROLE</literal> privilege to comment on non-superuser roles.
+   <literal>CREATEROLE</literal> privilege and have been granted
+   <literal>ADMIN OPTION</literal> on the target role.
   Likewise, access methods don't have owners either; you must be superuser
   to comment on an access method.
   Of course, a superuser can comment on anything.
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -119,8 +119,8 @@ in sync when changing the above synopsis!
      <listitem>
       <para>
        These clauses determine whether a role will be permitted to
-        create, alter, drop, comment on, change the security label for,
-        and grant or revoke membership in other roles.
+        create, alter, drop, comment on, and change the security label for
+        other roles.
        See <xref linkend='role-creation' /> for more details about what
        capabilities are conferred by this privilege.
        If not specified, <literal>NOCREATEROLE</literal> is the default.
--- a/doc/src/sgml/ref/createuser.sgml
+++ b/doc/src/sgml/ref/createuser.sgml
@@ -252,8 +252,7 @@ PostgreSQL documentation
      <listitem>
       <para>
        The new user will be allowed to create, alter, drop, comment on,
-        change the security label for, and grant or revoke membership in
-        other roles; that is,
+        change the security label for other roles; that is,
        this user will have <literal>CREATEROLE</literal> privilege.
        See <xref linkend='role-creation' /> for more details about what
        capabilities are conferred by this privilege.
--- a/doc/src/sgml/ref/drop_role.sgml
+++ b/doc/src/sgml/ref/drop_role.sgml
@@ -32,7 +32,7 @@ DROP ROLE [ IF EXISTS ] <replaceable class="parameter">name</replaceable> [, ...
   <command>DROP ROLE</command> removes the specified role(s).
   To drop a superuser role, you must be a superuser yourself;
   to drop non-superuser roles, you must have <literal>CREATEROLE</literal>
-   privilege.
+   privilege and have been granted <literal>ADMIN OPTION</literal> on the role.
  </para>

  <para>
--- a/doc/src/sgml/ref/dropuser.sgml
+++ b/doc/src/sgml/ref/dropuser.sgml
@@ -35,9 +35,10 @@ PostgreSQL documentation
  <para>
   <application>dropuser</application> removes an existing
   <productname>PostgreSQL</productname> user.
-   Only superusers and users with the <literal>CREATEROLE</literal> privilege can
-   remove <productname>PostgreSQL</productname> users.  (To remove a
-   superuser, you must yourself be a superuser.)
+   Superusers can use this command to remove any role; otherwise, only
+   non-superuser roles can be removed, and only by a user who possesses
+   the <literal>CREATEROLE</literal> privilege and has been granted
+   <literal>ADMIN OPTION</literal> on the target role.
  </para>

  <para>
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -271,9 +271,7 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
   in the role as well.  Without the admin option, ordinary users cannot
   do that.  A role is not considered to hold <literal>WITH ADMIN
   OPTION</literal> on itself.  Database superusers can grant or revoke
-   membership in any role to anyone.  Roles having
-   <literal>CREATEROLE</literal> privilege can grant or revoke membership
-   in any role that is not a superuser. This option defaults to
+   membership in any role to anyone. This option defaults to
   <literal>FALSE</literal>.
  </para>