Tom Lane wrote:
> To put that more clearly: if the point is to keep the user's
> cleartext password out of the hands of the DBA, then the user has
> already blown it by sending the password in cleartext in the first
> place. An untrustworthy DBA could trivially insert code into CREATE
> USER to log the original password in a place of his choosing.
With SELinux or similar systems, it might be the case that the DBA could
not change or insert any code but could configure and read the server
logs. But this is admittedly a rare case currently.
--
Peter Eisentraut
http://developer.postgresql.org/~petere/