11<!--
2- $Header: /cvsroot/pgsql/doc/src/sgml/ref/createuser.sgml,v 1.23 2002/01/20 22: 19:56 petere Exp $
2+ $Header: /cvsroot/pgsql/doc/src/sgml/ref/createuser.sgml,v 1.24 2002/02/13 19:32:17 tgl Exp $
33PostgreSQL documentation
44-->
55
@@ -79,7 +79,7 @@ PostgreSQL documentation
7979 <term>-d, --createdb</term>
8080 <listitem>
8181 <para>
82- Allows the new user to create databases.
82+ The new user is allowed to create databases.
8383 </para>
8484 </listitem>
8585 </varlistentry>
@@ -88,7 +88,7 @@ PostgreSQL documentation
8888 <term>-D, --no-createdb</term>
8989 <listitem>
9090 <para>
91- Forbids the new user to create databases.
91+ The new user is not allowed to create databases.
9292 </para>
9393 </listitem>
9494 </varlistentry>
@@ -97,7 +97,9 @@ PostgreSQL documentation
9797 <term>-a, --adduser</term>
9898 <listitem>
9999 <para>
100- Allows the new user to create other users.
100+ The new user is allowed to create other users.
101+ (Note: actually, this makes the new user a <firstterm>superuser</>.
102+ The option is poorly named.)
101103 </para>
102104 </listitem>
103105 </varlistentry>
@@ -106,7 +108,8 @@ PostgreSQL documentation
106108 <term>-A, --no-adduser</term>
107109 <listitem>
108110 <para>
109- Forbids the new user to create other users.
111+ The new user is not allowed to create other users (i.e.,
112+ the new user is a regular user not a superuser).
110113 </para>
111114 </listitem>
112115 </varlistentry>
@@ -215,9 +218,17 @@ PostgreSQL documentation
215218 <para>
216219 <application>createuser</application> creates a
217220 new <productname>PostgreSQL</productname> user.
218- Only users with <literal>usesuper</literal> set in
219- the <literal>pg_shadow</literal> table can create
220- new <productname>PostgreSQL</productname> users.
221+ Only superusers (users with <literal>usesuper</literal> set in
222+ the <literal>pg_shadow</literal> table) can create
223+ new <productname>PostgreSQL</productname> users,
224+ so <application>createuser</application> must be
225+ invoked by someone who is a <productname>PostgreSQL</productname>
226+ superuser.
227+ </para>
228+
229+ <para>
230+ Being a superuser also implies the ability to bypass access permission
231+ checks within the database, so superuser-dom should not be granted lightly.
221232 </para>
222233
223234 <para>
@@ -227,10 +238,11 @@ PostgreSQL documentation
227238 the <productname>PostgreSQL</productname> interactive terminal
228239 <xref linkend="APP-PSQL">. Thus, there is nothing
229240 special about creating users via this or other methods. This means
230- that the <application>psql</application> must be found by the script and that
231- a database server is running at the targeted host. Also, any default
232- settings and environment variables available to <application>psql</application>
233- and the <application>libpq</application> front-end library do apply.
241+ that the <application>psql</application> application must be found by the
242+ script and that
243+ a database server must be running at the targeted host. Also, any default
244+ settings and environment variables used by <application>psql</application>
245+ and the <application>libpq</application> front-end library will apply.
234246 </para>
235247
236248 </refsect1>