> I have spend a lot of time pondering exactly this issue when I wrote it. I
> guess you can flip it either way. On the one hand "CREATEUSER" has
> traditionally been synonymous with "superuser" (which is a problem, I
> believe), and catupd was created so that superusers are "protected from
> themselves" so they should not be intermixed.
>
> The reason that create user sets usecatupd to true is if you happen to
> have no user left with usecatupd you can't really go in an alter
> pg_shadow, ey? Then you can create a new superuser (assume you have *some*
> superuser left) and rethink all your privileges again.
>
> I don't recall exactly what it did earlier but this is still bogus as it
> is. Answer no.1 would be to never grant usecatupd automatically but
> instead exempt pg_shadow from the privileges it describes (that sentence
> right there describes why this is all a problem). Answer no.2 would be to
> add usecatupd to the create/alter user set but I'd like to wait to
> redesign the create/alter user syntax for that. No.3 would be to have
> alter user set usecatupd = usesuper in any case. (What if you revoke
> superuser privileges? Should you revoke catupd as well?)
I like #3. I don't believe protecting super-users from themselves is
very Unix-like.
--
Bruce Momjian | http://www.op.net/~candle
[EMAIL PROTECTED] | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
