Re: Superuser can't revoke role granted by non-superuser

Alexander Kukushkin <cyberdemn@gmail.com>

From: Alexander Kukushkin <cyberdemn@gmail.com>
To: Kirill Reshke <reshkekirill@gmail.com>
Cc: pgsql-bugs@postgresql.org
Date: 2025-01-27T09:22:58Z
Lists: pgsql-bugs
On Mon, 27 Jan 2025 at 10:20, Kirill Reshke <reshkekirill@gmail.com> wrote:

> Reproduced this at cf5eb37 (and not on its parent f026c16)
> There was some huge refactoring around user.c and particularly
> `check_role_grantor` function. I'm trying to comprehend.
>

I think the fix should look like:
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 02824c32a49..29948d692b6 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -2342,7 +2342,8 @@ plan_single_revoke(CatCList *memlist,
RevokeRoleGrantAction *actions,
                authmem_form = (Form_pg_auth_members)
GETSTRUCT(authmem_tuple);

                if (authmem_form->member == member &&
-                       authmem_form->grantor == grantor)
+                       (authmem_form->grantor == grantor ||
+                        grantor == BOOTSTRAP_SUPERUSERID))
                {
                        if ((popt->specified &
GRANT_ROLE_SPECIFIED_INHERIT) != 0)
                        {

I am going to work on the patch and update regression tests accordingly.

Regards,
--
Alexander Kukushkin