Matthieu Verove writes:
> When we enter:
>
> > create user dba1 createdb createuser;
>
> and after:
> > select * from pg_user;
>
> the result is :
>
> > usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd|valuntil
> > ------+------+--------+-----+-------+------+------+------
> > postgres| 31|t |t |t |t
>|********
> > dba1 | 32 |t |f |t |f
>|********|
> > | |
> > | |
> > | |
> > ---------------->Why is it false???? >
If you count the fields right you will see that
usename=dba1
usesysid=32
usecreatedb=t
usetrace=f
usesuper=t
usecatupd=f
...
Everything ok.
> And what do "usetrace" and "usecatupd" mean?
usetrace is not used as far as I can tell. I can guess what it might have
been intended for, but that's not of interest here. usecatupd lets you
update system catalogs directly. The option is intended to protect DBAs
from themselves.
> > template1=> create user x nocreatedb nocreateuser;
> > ERROR: defineUser: user "dba1" does not have SELECT and INSERT privilege for
>"pg_shadow"
> >
> Why?
Because that's what you need usecatupd for. (Not by intention but by
effect.)
The whole user creation implementation was completely bogus in
pre-7.0. Feel free to try our new product.
> Why can we read easily the passwords in the file pg_pwd?
> Is there a way to prevent everyone to read those passwords?
The data directory and pg_pwd file are not world-readable, so that
shouldn't be a problem. I agree that the stuff should be encrypted anyway
but that's a bit of work for a variety of other reasons.
--
Peter Eisentraut Sernanders väg 10:115
[EMAIL PROTECTED] 75262 Uppsala
http://yi.org/peter-e/ Sweden
