Robert Haas doesn’t wear a cape:
As I’ve written about before, a PostgreSQL superuser always has the ability to take over the operating system account in which PostgreSQL is running, but sometimes you’d like to have a role that can administer the database but not break out of it. In existing releases, there’s no good way to accomplish that. You can either make a new role so weak that it can’t perform ordinary administration tasks, or you can make it so strong that it can easily break into the operating system account and thus take over the superuser role as well. Unless you hack the source code, which some people have done, there’s no real way to set up an account that has enough power to usefully administer the database in meaningful ways but yet not enough power to take over everything. I’ve committed a number of patches to v16 to try to improve the situation, and I think that we can look forward to big improvements in this area once it is released.
Read on for some of the implications of this change.