Appended is a small documentation patch that adds a note to the CREATE

ROLE page, based on what Tom Lane told me here:

	http://archives.postgresql.org/pgsql-general/2005-11/msg00998.php


Joachim Wieland
This commit is contained in:
Bruce Momjian 2006-03-03 03:06:05 +00:00
parent 66eccb466e
commit b35440eae8
1 changed files with 14 additions and 1 deletions

View File

@ -1,5 +1,5 @@
<!--
$PostgreSQL: pgsql/doc/src/sgml/ref/create_role.sgml,v 1.6 2005/12/23 16:46:39 petere Exp $
$PostgreSQL: pgsql/doc/src/sgml/ref/create_role.sgml,v 1.7 2006/03/03 03:06:05 momjian Exp $
PostgreSQL documentation
-->
@ -347,6 +347,19 @@ where <replaceable class="PARAMETER">option</replaceable> can be:
specified in the SQL standard.
</para>
<para>
Be careful with the <literal>CREATEROLE</> privilege. There is no concept of
inheritance for the privileges of a <literal>CREATEROLE</>-role. That
means that even if a role does not have a certain privilege but is allowed
to create other roles, it can easily create another role with different
privileges than its own (except for creating roles with superuser
privileges). For example, if the role <quote>user</> has the
<literal>CREATEROLE</> privilege but not the <literal>CREATEDB</> privilege,
nonetheless it can create a new role with the <literal>CREATEDB</>
privilege. Therefore, regard roles that have the <literal>CREATEROLE</>
privilege as almost-superuser-roles.
</para>
<para>
<productname>PostgreSQL</productname> includes a program <xref
linkend="APP-CREATEUSER" endterm="APP-CREATEUSER-title"> that has