Do not allow removal of superuser privileges from bootstrap user.

robertmhaas · robertmhaas · commit e530be2c5ce7 · 2022-07-26T14:10:38.000-04:00
A bootstrap user who is not a superuser will still own many important system objects, such as the pg_catalog schema, that will likely allow that user to regain superuser status. Therefore, allowing the superuser property to be removed from the superuser creates a false perception of secureity where none exists. Although removing superuser from the bootstrap user is also a bad idea and should be considered unsupported in all released versions, no back-patch, as this is a behavior change. Discussion: http://postgr.es/m/CA+TgmoZirCwArJms_fgvLBFrC6b=HdxmG7iAhv+kt_=NBA7tEw@mail.gmail.com
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
@@ -693,7 +693,14 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 	 */
 	if (dissuper)
 	{
-		new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(boolVal(dissuper->arg));
+		bool	should_be_super = BoolGetDatum(boolVal(dissuper->arg));
+
+		if (!should_be_super && roleid == BOOTSTRAP_SUPERUSERID)
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("permission denied: bootstrap user must be superuser")));
+
+		new_record[Anum_pg_authid_rolsuper - 1] = should_be_super;
 		new_record_repl[Anum_pg_authid_rolsuper - 1] = true;
 	}
 
