| From: | Shachar Shemesh <psql(at)shemesh(dot)biz> |
|---|---|
| To: | Magnus Hagander <mha(at)sollentuna(dot)net> |
| Cc: | pgsql-patches(at)postgresql(dot)org |
| Subject: | Re: Run-as-admin warning for win32 |
| Date: | 2004-05-04 02:37:35 |
| Message-ID: | 409701EF.6030002@shemesh.biz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
1. You forgot to check "localsystem", as well as "domain admins". These
two have even higher permissions than the ones you test for, and one of
them is the default if Postgre ever makes it to become a service.
2. Are you sure "Powerusers" is such a good idea? It's the default for
all non-admin users. When Postgres becomes a service, it's going to be
relatively easy to configure it to run as a low-priv user. Until then,
however, isn't it too difficult for admins to set up the system for it
to run as a different user?
Shachar
Magnus Hagander wrote:
>For review, comments and possible application to HEAD.
>
>This code implements a warning when the postmaster is started as a
>high-privilege account on win32 (administrator or power users).
>Previously, postgresql has exited out on Unix when running as root -
>this is a similar check, with the following differences:
>
>* We do a ereport(WARNING) instead of exitting out. The reason for this
>is that we can expect there are win32 admins that will want to run the
>server with a high privilege account. Just sending a warning will permit
>this (say, when debugging etc, or if people are just too lazy to care),
>while clearly stating it's not a recommended way to do it.
>
>* The Unix check is directly in main.c. We cannot do this on win32,
>because at this stage we can only printf and exit. Win32 needs ereport.
>Consider when runinng as a service - before we have loaded up
>postgresql.conf and noticed we should write to the eventlog, we cannot
>inform the user in any way (stderr = /dev/null from a service by
>default). Therefor, the win32 check is in PostmasterMain. There might be
>a slightly better place to put it, not 100% sure about that..
>
>
>The win32 specific code is mainly in the file security.c to go in
>src/backend/port/win32.
>
>
>//Magnus
>
>
>
> <<security.c>> <<admin_warning.patch>>
>
>
>------------------------------------------------------------------------
>
>
>---------------------------(end of broadcast)---------------------------
>TIP 4: Don't 'kill -9' the postmaster
>
>
--
Shachar Shemesh
Lingnu Open Source Consulting
http://www.lingnu.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-05-04 03:50:50 | Re: smgr cleanup |
| Previous Message | Alvaro Herrera | 2004-05-04 02:08:40 | smgr cleanup |