Re: "1-Click" installer problems

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: John Gage <jsmgage(at)numericable(dot)fr>
Cc: John R Pierce <pierce(at)hogranch(dot)com>, "Nikhil G(dot) Daddikar" <ngd(at)celoxis(dot)com>, pgsql-general(at)postgresql(dot)org
Subject: Re: "1-Click" installer problems
Date: 2010-04-02 08:28:00
Message-ID: 4BB5AA90.4030205@postnewspapers.com.au
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 2/04/2010 3:07 PM, John Gage wrote:

> Yet, that is what the one-click installer does. I do not believe that
> this is intuitive. What is more, gratuitiously adding a user to the
> system doesn't seem to make a whole lot of sense.

This is absolutely standard practice on UNIX systems, and on Windows
systems for secure server installations too. It allows the server to
isolate its self from the rest of the system, protecting both the system
and the server.

For example, every Windows XP system with the .NET framework 3.0
installed will have an ASPNET user on it. This user is used to run any
ASP.NET service processes so that Internet attackers can't overwrite
system files if they successfully exploit the asp.net services.

If PostgreSQL didn't add a user to the system, it'd have to:

a) Run as root. This is DANGEROUS as any security problem in PostgreSQL
that allows an attacker to force Pg to run code gets them root access.

b) Run as your user. What if you remove the user later - crunch, your
database just broke. If Pg was attacked successfully, the attacker
wouldn't get root ... but they would get the ability to access and
delete all your files.

Arguably (b) is an acceptable non-admin-install option for Mac OS X
systems for non-production use with unimportant test data you can afford
to lose. I'm not convinced it's a good idea, though.

Perhaps the PostgreSQL installer needs to inform users of this, though
(say a "help" button when asked about user account details).

> But none, repeat none, create a new user.

Most server products that attempt even the vaguest kind of security
should. Some even do ;-)

PostgreSQL isn't just a program, remember, it's a running database
service that might be network acecssible.

> What is more, through standard unix commands such as "who" or "cat
> /etc/passwd", I cannot find the user 'postgres' on my machine...even
> though he is the owner of the Postgres data files...on my machine.

Mac OS X isn't standard unix. Look in (depending on the Mac OS X
version) the NetInfo database, OpenDirectory, or whereever Apple hides
the user database this week.

You'll find that your own user account isn't in /etc/passwd either.

The postgres user *is* recognised by standard unix commands. "id
postgresql" will report its existence and details about it. It's just
not stored in /etc/passwd, because that's not how Mac OS X stores
account information (though there's some "legacy" stuff still in there).

> There's the rub. 'postgres' owns files...my files...on my machine, yet
> he is not on my machine. Not good.

Well, it's good for security. It also helps prevent people from
unwittingly going in and butchering the data directory - they're not
*meant* to be deleting things in there. This way they at least need
admin rights to do it.

What actual problem does it cause? Does the "postgres" user show up as
an additional login option on the login screen? Other than the notional
issue of not "owning" the files, what's the problem?

--
Craig Ringer

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Craig Ringer 2010-04-02 08:32:34 Re: "1-Click" installer problems
Previous Message Sachin Srivastava 2010-04-02 07:52:11 Re: "1-Click" installer problems