Re: R?f. : RE: Running PostGre on DVD

From: Martijn van Oosterhout <kleptog(at)svana(dot)org>
To: Magnus Hagander <mha(at)sollentuna(dot)net>
Cc: "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com>, Stephan Szabo <sszabo(at)megazone(dot)bigpanda(dot)com>, eric(dot)leguillier(at)mpsa(dot)com, pgsql-hackers(at)postgresql(dot)org
Subject: Re: R?f. : RE: Running PostGre on DVD
Date: 2005-11-15 21:09:51
Message-ID: 20051115210946.GO7519@svana.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, Nov 15, 2005 at 08:43:06PM +0100, Magnus Hagander wrote:
> Ok. Didn't know that part about nonexistant ids.

Usernames are implementation details, if you ask to become user 38587,
the kernel doesn't check whether they exist. You just might not be able
to open any files anymore :)

> > For example, does the windows model allow you to say (without
> > creating a new user): I irrevocably restrict my access to
> > files owned by user X for this process *only*. Or to files
> > under subdirectory Y. Or I irrevocably restrict my access to
> > open new network sockets. Or irrevocably restrict my access
> > to create new users.
>
> Not entirely sure. You can get rid of privileges, and you can get rid of
> group memberships. Don't think you can do it for a specific file,
> because that's driven by the ACL on the file and not on the token. (You
> can get rid of the group that had permissions on it which would give you
> the same effect, but if someone granted your account direct permissions
> on it, you'd still be able to access it).

Ah, now we are making progress. If there was a way to give up file
access permissions so you could no longer write files to, say, the
Windows System directory, this would go a long way to solving the
issue. Currently, if the Postmaster runs as admin, anyone with access
to the database could use COPY to read and write any file the backend
can access.

> Hmm. I guess we could try the approach of dropping groups in pg_ctl
> before we even call postmaster... Should be doable, if someone wants to
> do the lifting. Tha way we could keep the admin check in the postmaster,
> because we'd get rid of admin before we got there...

Actually, it could possibly be acceptable to do it inside the
postmaster itself. It doesn't really matter where it's done, as long as
it permanently restricts the access of the postmaster from then on.

Quickly looking, I found a site [1] that refers to OpenProcessToken()
and AdjustTokenPrivileges() which appears to allow you to drop
permissions you have. There is also something called
CreateRestrictedToken() which can then to passed to
CreateProcessAsUser().

Maybe one of the Win32 hackers want to look into this to see what can
be done.

[1] http://www.winterdom.com/dev/security/tokens.html

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Magnus Hagander 2005-11-15 21:15:01 Re: R?f. : RE: Running PostGre on DVD
Previous Message Magnus Hagander 2005-11-15 19:43:06 Re: R?f. : RE: Running PostGre on DVD