diff options
| -rw-r--r-- | doc/src/sgml/ref/create_role.sgml | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml index 16cd16ef5ac..e69d6899dd0 100644 --- a/doc/src/sgml/ref/create_role.sgml +++ b/doc/src/sgml/ref/create_role.sgml @@ -1,5 +1,5 @@ <!-- -$PostgreSQL: pgsql/doc/src/sgml/ref/create_role.sgml,v 1.4 2005/11/03 00:51:43 neilc Exp $ +$PostgreSQL: pgsql/doc/src/sgml/ref/create_role.sgml,v 1.4.2.1 2006/03/03 03:06:17 momjian Exp $ PostgreSQL documentation --> @@ -345,6 +345,19 @@ where <replaceable class="PARAMETER">option</replaceable> can be: </para> <para> + Be careful with the <literal>CREATEROLE</> privilege. There is no concept of + inheritance for the privileges of a <literal>CREATEROLE</>-role. That + means that even if a role does not have a certain privilege but is allowed + to create other roles, it can easily create another role with different + privileges than its own (except for creating roles with superuser + privileges). For example, if the role <quote>user</> has the + <literal>CREATEROLE</> privilege but not the <literal>CREATEDB</> privilege, + nonetheless it can create a new role with the <literal>CREATEDB</> + privilege. Therefore, regard roles that have the <literal>CREATEROLE</> + privilege as almost-superuser-roles. + </para> + + <para> <productname>PostgreSQL</productname> includes a program <xref linkend="APP-CREATEUSER" endterm="APP-CREATEUSER-title"> that has the same functionality as <command>CREATE ROLE</command> (in fact, |