From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | yangyd(at)cn(dot)fujitsu(dot)com |
Cc: | pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
Subject: | Re: BUG #7767: pg_ctl allows postgres running under administrator's privilege |
Date: | 2012-12-29 16:38:26 |
Message-ID: | CABUevEwK+RV39OLE9RS1dxywvaNV9UJY0wHqwLdd8a+GS7KRsw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On Fri, Dec 21, 2012 at 4:02 AM, <yangyd(at)cn(dot)fujitsu(dot)com> wrote:
> The following bug has been logged on the website:
>
> Bug reference: 7767
> Logged by: yangyd
> Email address: yangyd(at)cn(dot)fujitsu(dot)com
> PostgreSQL version: 9.2.2
> Operating system: Windows 7 Professional
> Description:
>
> I found that it's possible to start the postgres process as the
> administrator of the system using `pg_ctl start -D data`, while `postgres -D
> data` will complain "Execution of PostgreSQL by a user with administrative
> permissions is not
> permitted."
>
> I confirmed with Process Explorer that the postgres process created by
> pg_ctl does running under the administrator account.
>
> Is this behavior intended?
It's supposed to still run under the administrative account, however,
pg_ctl will create what's called a restricted token and execute it as
that - so it will run as Administrator but without access to any
permissions received by being in the Administrators or Power Users
group for example.
You can verify it by for example attempting to COPY to a file that
only administrators have access to (access must be granted through the
group, of course)
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Boszormenyi Zoltan | 2013-01-01 16:48:48 | Review of "pg_basebackup and pg_receivexlog to use non-blocking socket communication", was: Re: Re: [BUGS] BUG #7534: walreceiver takes long time to detect n/w breakdown |
Previous Message | Phil Sorber | 2012-12-28 23:01:13 | Re: WAL Receiver Segmentation Fault |