Backported CORE-6489: User without ALTER ANY ROLE privilege can use C…

…OMMENT ON ROLE

src/jrd/ini.epp

@@ -445,6 +445,9 @@ void INI_format(const char* owner, const char* charset)
 			generator->gen_name, length, buffer);
 	}
 
+	add_security_to_sys_obj(tdbb, ownerName, obj_sql_role,
+		ADMIN_ROLE, length, buffer);
+
 	for (const IntlManager::CharSetDefinition* charset = IntlManager::defaultCharSets;
 		 charset->name;
 		 ++charset)
@@ -1175,6 +1178,18 @@ static void add_security_to_sys_obj(thread_db* tdbb,
 		}
 		END_FOR
 	}
+	else if (obj_type == obj_sql_role)
+	{
+		FOR(REQUEST_HANDLE handle) R IN RDB$ROLES
+			WITH R.RDB$ROLE_NAME EQ obj_name.c_str()
+		{
+			MODIFY R USING
+				R.RDB$SECURITY_CLASS.NULL = FALSE;
+				PAD(security_class.c_str(), R.RDB$SECURITY_CLASS);
+			END_MODIFY
+		}
+		END_FOR
+	}
 	else if (obj_type == obj_database)
 	{
 		FOR(REQUEST_HANDLE handle) DB IN RDB$DATABASE