Re: [GENERAL] createuser: How to specify a database to connect to

Adrian Klaver <adrian.klaver@aklaver.com> writes:
> On 03/13/2017 08:52 AM, Tom Lane wrote:
>> If by "history" you're worried about the server-side statement log, this
>> is merest fantasy: the createuser program is not magic, it just constructs
>> and sends a CREATE USER command for you.  You'd actually be more secure
>> using psql, where (if you're superuser) you could shut off log_statement
>> for your session first.

> There is a difference though:

> psql> CREATE USER:

> postgres-2017-03-13 09:03:27.147 PDT-0LOG:  statement: create user
> dummy_user with login password '1234';

Well, what you're supposed to do is

postgres=# create user dummy_user;
postgres=# \password dummy_user
Enter new password:
Enter it again:
postgres=#

which will result in sending something like

ALTER USER dummy_user PASSWORD 'md5c5e9567bc40082671d02c654260e0e09'

You can additionally protect that by wrapping it into one transaction
(if you have a setup where the momentary existence of the role without a
password would be problematic) and/or shutting off logging beforehand.

            regards, tom lane