[bug fix] pg_ctl fails with config-only directory - Mailing list pgsql-hackers

From MauMau
Subject [bug fix] pg_ctl fails with config-only directory
Date
Msg-id 180B62C99398442C999DEC7A1BB2DCB9@maumau
Whole thread Raw
Responses Re: [bug fix] pg_ctl fails with config-only directory
List pgsql-hackers
Hello,

I've found a bug and would like to fix it, but I cannot figure out how to do 
that well.  Could you give me any advice?  I encountered this on PG 9.2, but 
it will probably exist in later versions.

[Problem]
On Windows, a user with Administrator privileges can start the database 
server.  However, when he uses config-only directory, the database server 
cannot be started.  "pg_ctl start" fails with the following messages:

Execution of PostgreSQL by a user with administrative permissions is not
permitted.
The server must be started under an unprivileged user ID to prevent
possible system security compromises.  See the documentation for
more information on how to properly start the server.


[Cause]
pg_ctl runs "postgres -C data_directory" to know the data directory.  But 
postgres cannot be run by a user with Administrator privileges, and displays 
the above messages.


[Fix]
It is ideal that users with administrative privileges can start postgres, 
with the Administrator privileges removed.

Currently, initdb and pg_ctl take trouble to invoke postgres in a process 
with restricted privileges.  I understand this improvement was done in 8.2 
or 8.3 for convenience.  The same convenience should be available when 
running postgres directly, at least "postgres -C", 
"postgres --describe-config", and "postgres --single".

Then, how can we do this?  Which approach should we take?

* Approach 1
When postgres starts, it removes Administrator privileges from its own 
process.  But is this possible at all?  Windows security API is complex and 
provides many functions.  It seems difficult to understand them.  I'm afraid 
it would take a long time to figure out the solution.  Is there any good web 
page to look at?

* Approach 2
Do not call check_root() on Windows when -C, --describe-config, or --single 
is specified when running postgres.  This would be easy, and should not be 
dangerous in terms of security because attackers cannot get into the server 
process via network.

I'll try to find a solution based on approach 1, but I doubt there's one. 
If okay, I want to take approach 2.  Could you give me your thoughts?

Regards
MauMau




pgsql-hackers by date:

Previous
From: Mitsumasa KONDO
Date:
Subject: Re: Time-Delayed Standbys
Next
From: Stephen Frost
Date:
Subject: Re: Extension Templates S03E11