Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 20 Apr 2023 14:06:21 -0400
From: Jeffrey Walton <>
Subject: PostgreSQL and CREATEROLE permission

Hi Everyone,

This information showed up on the pgsql-general mailing list at [1].
It appears a user with CREATEROLE can elevate to root through

It looks like PostgreSQL folks will be changing a recommendation and
modifying behavior at v16.[3] Here is the commit of interest: [4].
Changes will not be made for previously released versions of

PostgreSQL does not have a hardening guide. I would hate to see the
nugget lost in a mailing list message or change log entry.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.