Sorry for the response delay. I was out of town.
I don't believe that pg_user needs to be readable by users in general. They
don't really need to know who else has access to the DB, and they certainly
don't need to know what access they do have (e.g. usesuper and createuser).
As for the suggestion that the passwords don't need to be in the cache, this is
incorrect. For the system (as I have designed it) to work, the postmaster must
check at each login to see if the user has a password. Using another relation
along with a select to look up the password from pg_user is not as efficient,
and it is not possible from the postmaster. In order for this to work, each
time that pg_user or pg_password (if we use a 2nd relation) is modified, a join
must be performed between the two (essentially perform a select on a view that
performs the join) before the data can be copied to the pg_pwd file for the
postmaster to use. I don't even know if the copy command will work with a view.
For these reasons I still believe that pg_user should just remain non-accessible
to the general public.
Todd A. Brandys