On Wed, 18 Feb 1998, Bruce Momjian wrote:
> Here are the items. Can I remove any of them?
>
> Looking over the list, the only major one I see is that pg_user is not
> world-readable, and with Todd not responding, I am thinking I may need
> to do some ripout. Right now, \d does not work for non-super-users.
> Can you imagine the problem reports we will get on that?
Okay, I just grabbed our "resident Oracle guru"s time to see how Oracle
does this, and I'm CCng him in on this...
Basically, from what we can tell, there is one large table that contains
the user information, including passwords. If we go in as 'the dba'
himself (same as our super user), we can view the table in its
entirety...if we go in as "joe blow user", you can only look at a "view"
of the table.
"select * from all_users;" <- no passwords
"select * from dba_users;" <- includes passwords
So, I think that Todd has the right idea, but where we are lacking is the
ability to have pg_users "closed" to non-su users to view all its data,
but have it "open" through a system view...
So, what we need is the ability to have a view created, as part of the
system itself, that does:
"select usename,usesysid,<etc, minus passwd,valuntil>
from pg_user;"
So that that information is available, but the password isn't...