index 60dce9b298d886c6a0ac1c3b9907360ffed479ec..e25f07f570ee52cba78678f2df1d19405f22bd98 100644 (file)
<!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/create_role.sgml,v 1.6 2005年12月23日 16:46:39 petere Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/create_role.sgml,v 1.7 2006年03月03日 03:06:05 momjian Exp $
PostgreSQL documentation
-->
@@ -347,6 +347,19 @@ where <replaceable class="PARAMETER">option</replaceable> can be:
specified in the SQL standard.
</para>
+ <para>
+ Be careful with the <literal>CREATEROLE</> privilege. There is no concept of
+ inheritance for the privileges of a <literal>CREATEROLE</>-role. That
+ means that even if a role does not have a certain privilege but is allowed
+ to create other roles, it can easily create another role with different
+ privileges than its own (except for creating roles with superuser
+ privileges). For example, if the role <quote>user</> has the
+ <literal>CREATEROLE</> privilege but not the <literal>CREATEDB</> privilege,
+ nonetheless it can create a new role with the <literal>CREATEDB</>
+ privilege. Therefore, regard roles that have the <literal>CREATEROLE</>
+ privilege as almost-superuser-roles.
+ </para>
+
<para>
<productname>PostgreSQL</productname> includes a program <xref
linkend="APP-CREATEUSER" endterm="APP-CREATEUSER-title"> that has