Re: Superuser can't revoke role granted by non-superuser
Alexander Kukushkin <cyberdemn@gmail.com>
From: Alexander Kukushkin <cyberdemn@gmail.com>
To: Kirill Reshke <reshkekirill@gmail.com>
Cc: pgsql-bugs@postgresql.org
Date: 2025-01-27T09:22:58Z
Lists: pgsql-bugs
On Mon, 27 Jan 2025 at 10:20, Kirill Reshke <reshkekirill@gmail.com> wrote:
> Reproduced this at cf5eb37 (and not on its parent f026c16)
> There was some huge refactoring around user.c and particularly
> `check_role_grantor` function. I'm trying to comprehend.
>
I think the fix should look like:
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 02824c32a49..29948d692b6 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -2342,7 +2342,8 @@ plan_single_revoke(CatCList *memlist,
RevokeRoleGrantAction *actions,
authmem_form = (Form_pg_auth_members)
GETSTRUCT(authmem_tuple);
if (authmem_form->member == member &&
- authmem_form->grantor == grantor)
+ (authmem_form->grantor == grantor ||
+ grantor == BOOTSTRAP_SUPERUSERID))
{
if ((popt->specified &
GRANT_ROLE_SPECIFIED_INHERIT) != 0)
{
I am going to work on the patch and update regression tests accordingly.
Regards,
--
Alexander Kukushkin