Re: PgSQL not as Administrator - probs on w

From: "Mark Cave-Ayland" <m(dot)cave-ayland(at)webbased(dot)co(dot)uk>
To: "'Magnus Hagander'" <mha(at)sollentuna(dot)net>, "'Gary Doades'" <gpd(at)gpdnet(dot)co(dot)uk>, <pgsql-hackers-win32(at)postgresql(dot)org>
Subject: Re: PgSQL not as Administrator - probs on w
Date: 2004-07-05 10:06:33
Message-ID: 8F4A22E017460A458DB7BBAB65CA6AE512D2B8@openmanage
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers-win32


> -----Original Message-----
> From: pgsql-hackers-win32-owner(at)postgresql(dot)org
> [mailto:pgsql-hackers-win32-owner(at)postgresql(dot)org] On Behalf
> Of Magnus Hagander
> Sent: 04 July 2004 14:49
> To: Gary Doades; pgsql-hackers-win32(at)postgresql(dot)org
> Subject: Re: [pgsql-hackers-win32] PgSQL not as Administrator
> - probs on w
>
>
> >> We very much do *not* want to go grant a privilege to
> >administrator that
> >> it doesn't already have. If it is required, it should be
> >done manually
> >> by the administrator himself.
> >>
> >> (Oh, and the resource kit is very much *NOT* free. It's a licensed
> >> product like others. The supplement is like a servicepack
> - you still
> >> need the original kit license)
> >>
> >
> >Once again you are right. I thought that you may be able to
> only grant
> >the permission for the duration of initdb etc, but there are other
> >problems with this anyway.
>
> Yeah. You can enable the privilege temporarily, but actually
> granting it in the account database is a bigger operation.
> (Not to mention how many eventlog monitors/IDS systems the
> install is going to trigger if it does
> that)

Yeah that would be a nice piece of code using the Lsa*() API..... :)
It's also not good practise as a short hole exists (admittedly for a
very short space of time) that would allow process impersonation. I can
only guess that things are done this way in NT for a very good reason.

> Yeah, that's the uglier way to do it. We could even create a
> temporary service, start it, wait for it to stop by itself,
> and then remove it.
>
> //Magnus

Looks like someone else has had a similar idea: see
http://www.pluralsight.com/keith/security/sample_cmdasuser.htm for the
documentation and http://www.pluralsight.com/keith/security/samples.htm
for a link to a ZIP file containing the source. I think that as messy as
it is, from a security viewpoint it is probably the best option.

I also agree that if we allow a command line override than it will be
abused in production. Also, I would think that if developers are working
on a patch then it should be fairly trivial for them to knock out the
Admin check during development.... ;)

Cheers,

Mark.

---

Mark Cave-Ayland
Webbased Ltd.
Tamar Science Park
Derriford
Plymouth
PL6 8BX
England

Tel: +44 (0)1752 764445
Fax: +44 (0)1752 764446

This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender. You
should not copy it or use it for any purpose nor disclose or distribute
its contents to any other person.

Browse pgsql-hackers-win32 by date

  From Date Subject
Next Message Jean-Michel POURE 2004-07-05 10:16:03 FreeOSZoo project announcement
Previous Message Gary Doades 2004-07-04 17:53:08 Re: initdb crash