Re: R?f. : RE: Running PostGre on DVD

From: "Magnus Hagander" <mha(at)sollentuna(dot)net>
To: "Martijn van Oosterhout" <kleptog(at)svana(dot)org>
Cc: "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com>, "Stephan Szabo" <sszabo(at)megazone(dot)bigpanda(dot)com>, <eric(dot)leguillier(at)mpsa(dot)com>, <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: R?f. : RE: Running PostGre on DVD
Date: 2005-11-15 21:29:34
Message-ID: 6BCB9D8A16AC4241919521715F4D8BCE92E86A@algol.sollentuna.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> > > Ah, now we are making progress. If there was a way to
> give up file
> > > access permissions so you could no longer write files to,
> say, the
> > > Windows System directory, this would go a long way to solving the
> > > issue. Currently, if the Postmaster runs as admin, anyone with
> > > access to the database could use COPY to read and write
> any file the
> > > backend can access.
> >
> > Getting rid of the admin and powerusers group should do
> that, I think.
>
> Look at pgwin32_is_admin(), it just checks if the user is
> member of one of those two groups. I think we have your
> solution right here...

Oh, I know - I wrote it :-)

You still lose in the nested group scenario.

And whlie a privilege like backup/restore can be used to overwrite any
file on the system, you must be able to execute arbitrary API calls to
do that. Whereas with admin/powerusers you can just use COPY or
whatever.

Bottom line is that pgwin32_is_admin() is far from perfect, it just
catches the most common scenarios.

//Magnus

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Martijn van Oosterhout 2005-11-15 21:51:28 Re: R?f. : RE: Running PostGre on DVD
Previous Message Martijn van Oosterhout 2005-11-15 21:26:33 Re: R?f. : RE: Running PostGre on DVD