Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sQv94-00CLKh-2D
	for pgsql-general@arkaria.postgresql.org; Mon, 08 Jul 2024 20:39:34 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sQv92-0099xC-A6
	for pgsql-general@arkaria.postgresql.org; Mon, 08 Jul 2024 20:39:32 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sQv91-0099x2-Vd
	for pgsql-general@lists.postgresql.org; Mon, 08 Jul 2024 20:39:31 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sQv8y-0015i5-H5
	for pgsql-general@postgresql.org; Mon, 08 Jul 2024 20:39:30 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 468KdR1h1204976;
	Mon, 8 Jul 2024 16:39:27 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Christophe Pettus <xof@thebuild.com>
cc: Laurenz Albe <laurenz.albe@cybertec.at>,
        pgsql-general <pgsql-general@postgresql.org>
Subject: Re: v16 roles, SET FALSE, INHERIT FALSE, ADMIN FALSE
In-reply-to: <AAE6E234-1D5B-4FFA-85F6-473F9ED48A22@thebuild.com>
References: <69A2A7BD-F8CA-4067-B229-B5F9FC6A884F@thebuild.com> <78790ab5cdece730a2029310184f9bb9cfcc0fa6.camel@cybertec.at> <AAE6E234-1D5B-4FFA-85F6-473F9ED48A22@thebuild.com>
Comments: In-reply-to Christophe Pettus <xof@thebuild.com>
	message dated "Mon, 08 Jul 2024 13:29:55 -0700"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1204974.1720471167.1@sss.pgh.pa.us>
Content-Transfer-Encoding: quoted-printable
Date: Mon, 08 Jul 2024 16:39:27 -0400
Message-ID: <1204975.1720471167@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/1204975.1720471167%40sss.pgh.pa.us>
Precedence: bulk

Christophe Pettus <xof@thebuild.com> writes:
>> On Jul 8, 2024, at 13:25, Laurenz Albe <laurenz.albe@cybertec.at> wrote=
:
>> I didn't test it, but doesn't that allow the member rule to drop object=
s owned
>> be the role it is a member of?

> No, apparently not.

IIUC, you need at least one of SET TRUE and INHERIT TRUE to be able to
access the privileges of the role you are nominally a member of.  This
extends to ownership checks as well as grantable privileges.

			regards, tom lane