From: Bruce Momjian <bruce@momjian.us>
Date: Fri, 3 Mar 2006 03:06:05 +0000 (+0000)
Subject: Appended is a small documentation patch that adds a note to the CREATE
X-Git-Tag: REL9_0_0~8294
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=b35440eae8a3dddf6e0dcff6879941d5995f084a;p=pg-rex%2Fsyncrep.git

Appended is a small documentation patch that adds a note to the CREATE
ROLE page, based on what Tom Lane told me here:

	http://archives.postgresql.org/pgsql-general/2005-11/msg00998.php


Joachim Wieland
---

diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index 60dce9b298..e25f07f570 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/create_role.sgml,v 1.6 2005/12/23 16:46:39 petere Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/create_role.sgml,v 1.7 2006/03/03 03:06:05 momjian Exp $
 PostgreSQL documentation
 -->
 
@@ -348,6 +348,19 @@ where <replaceable class="PARAMETER">option</replaceable> can be:
   </para>
 
   <para>
+   Be careful with the <literal>CREATEROLE</> privilege. There is no concept of
+   inheritance for the privileges of a <literal>CREATEROLE</>-role. That
+   means that even if a role does not have a certain privilege but is allowed
+   to create other roles, it can easily create another role with different
+   privileges than its own (except for creating roles with superuser
+   privileges). For example, if the role <quote>user</> has the
+   <literal>CREATEROLE</> privilege but not the <literal>CREATEDB</> privilege,
+   nonetheless it can create a new role with the <literal>CREATEDB</>
+   privilege. Therefore, regard roles that have the <literal>CREATEROLE</>
+   privilege as almost-superuser-roles.
+  </para>
+
+  <para>
    <productname>PostgreSQL</productname> includes a program <xref
    linkend="APP-CREATEUSER" endterm="APP-CREATEUSER-title"> that has
    the same functionality as <command>CREATE ROLE</command> (in fact,