Oliver Fromme <olli@lurza.secnetix.de> writes:
> So I tried this: REVOKE ALL ON pg_user FROM PUBLIC;
> which was acknowledged by the word "REVOKE", and there was
> no error message. But it doesn't have any effect. All
> users can still perform SELECT on pg_user and see everyone.
... it works for me ...
regression=# REVOKE ALL ON pg_user FROM PUBLIC;
REVOKE
regression=# create user joe;
CREATE USER
regression=# \c - joe
You are now connected as new user joe.
regression=> select * from pg_user;
ERROR: pg_user: permission denied
Keep in mind though that you'll need to do this in each database.
(If you do it in template1, databases subsequently cloned from
template1 will have the desired pg_user permissions already.) Also,
I doubt that pg_dump will create any record of your change to pg_user.
regards, tom lane
