Re: PgSQL not as Administrator - probs on w

From: "Andrew Dunstan" <andrew(at)dunslane(dot)net>
To: <merlin(dot)moncure(at)rcsonline(dot)com>
Cc: <xsteve(at)gmail(dot)com>, <pgsql-hackers-win32(at)postgresql(dot)org>
Subject: Re: PgSQL not as Administrator - probs on w
Date: 2004-07-09 15:02:17
Message-ID: 3921.68.16.180.225.1089385337.squirrel@www.dunslane.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers-win32

Merlin Moncure said:
> Steve Tibbett wrote:
>> It is normal on Windows for users to have admin rights on the local
>> system. As much as this needs to be changed, you're not going to
>> change it. If you insist on not running on an account with admin
>> rights, you're just going to frustrate users
>>
>> You could say "Windows is inherently insecure; refusing to run". That
>> would make the port much simpler. :)
>>
>> A warning is appropriate I think.. but refusing to run is going
>> overboard. Just my two cents.
>
> I disagree completely. Opening a tcp/ip server with this level of
> complexity for root access is a recipe for disaster. Wait until an
> exploit pops up and hundreds of win32 boxes get rooted. This would be
> a huge embarrassment and would be awful press. Do you really want to
> allow for this scenario?
>

One compromise might be that we refuse to run with elevated privs on Windows
if configured to listen on more than localhost. Then developers with admin
privs could play happily, but server admins would need to do the Right Thing
(tm). Of course, if another local service could be induced to do bad things
via postgres that would be no protection, but at least we would not be the
primary attack vector.

cheers

andrew

In response to

Responses

Browse pgsql-hackers-win32 by date

  From Date Subject
Next Message Alexander Cohen 2004-07-09 15:24:12 Re: initdb failed (terminated signal 5)
Previous Message John Meinel 2004-07-09 15:01:41 Re: initdb failed (terminated signal 5)