Re: CREATEROLE and role ownership hierarchies

Mark Dilger <mark.dilger@enterprisedb.com>

From: Mark Dilger <mark.dilger@enterprisedb.com>
To: Shinya Kato <Shinya11.Kato@oss.nttdata.com>, "Bossart, Nathan" <bossartn@amazon.com>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>, Andrew Dunstan <andrew@dunslane.net>, Jeff Davis <pgsql@j-davis.com>
Date: 2021-10-27T22:21:43Z
Lists: pgsql-hackers

Attachments

>> On Oct 25, 2021, at 10:09 PM, Shinya Kato <Shinya11.Kato@oss.nttdata.com> wrote:

>> Hi! Thank you for the patch.
>> I too think that CREATEROLE escalation attack is problem.
>> 
>> I have three comments.
>> 1. Is there a function to check the owner of a role, it would be nice to be able to check with \du or pg_roles view.
> 
> No, but that is a good idea.

These two ideas are implemented in v2.  Both \du and pg_roles show the owner information.

> The current solution is to run REASSIGN OWNED in each database where the role owns objects before running DROP ROLE. At that point, the CASCADE option (not implemented) won't be needed.  Of course, I need to post the next revision of this patch set addressing the deficiencies that Nathan pointed out upthread to make that work. 

REASSIGN OWNED and ALTER ROLE..OWNER TO now work in v2.

Commits

  1. Make role grant system more consistent with other privileges.

  2. Ensure that pg_auth_members.grantor is always valid.

  3. Remove the ability of a role to administer itself.

  4. Add tests of the CREATEROLE attribute

  5. Replace explicit PIN entries in pg_depend with an OID range test.

  6. Shore up ADMIN OPTION restrictions.

  7. Add pg_has_role() family of privilege inquiry functions modeled after the

  8. Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion