Andreas Karlsson <andr...@proxel.se> writes:
> On 3/21/19 7:07 AM, Chris Travers wrote:
>> 1. createuser/dropuser are things that I don't consider good ways of
>> creating users anyway.
> Those binaries are pretty convenient to use in scripts since they handle
> SQL escaping for you, but probably not convenient enough that we would
> have added createuser today.
> Compare
> createuser "$USER"
> vs
> echo 'CREATE ROLE :"user" LOGIN' | psql postgres -v "user=$USER"
Hmm. That example is actually quite scary, because while nearly
anybody who's ever done any shell scripting would get the first
one right, the second one requires a fair deal of specialized
knowledge and creativity. I fear that 99% of people would have
coded it like
echo "CREATE USER $USER" | psql
or some variant on that, and now they have a SQL-injection
hazard that they didn't have before.
So there seems like a real risk that taking away createuser would
result in security holes, not just annoying-but-trivial script update
work. That puts me more in the camp of "if we're going to do anything,
rename it with a pg_ prefix" than "if we're going to do anything,
remove it".
regards, tom lane
