On Wed, Dec 04, 2002 at 11:14:37AM -0800, j.random.programmer wrote:
> ---------------------------------------
> Original:
> My wanting to run postmaster as non-root
>
> Other comments:
> - there is no good reason for running as root, so
> it's ok to forbit it.
> - This feature (mysql mis-feature?) isn't likely to
> change any time soon.
>
> Followup:
> It's clear that everyone thinks this is a
> bad idea. I have to disgree here. I should be allowed
> to do what I want even if it's a security risk as long
> as that risk is known/explained. It's _not_ an issue
> if I bind the daemon to a ip/interface which is
> guaranteed private and non-routable (such as
> 192.168.x.x) and non-forwardable. Then there is no
> risk. But it's not really a significant issue either
> way - creating a new user/group is not a big deal.
I think you're looking at it the wrong way. As a postgresql developer, by
preventing people running the daemon as root, they can never be blamed for
accedently trashing someone's system, since they can't write to most of it.
Any of the modules loaded by postgres don't need to audited as strongly.
Bugs in the COPY command have no chance of destroying important logs. Since
there is no good reason to run the server as root, it's better not to.
The reduced risk of remote hacking really seems like a secondary benefit (to
me anyway).
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> Support bacteria! They're the only culture some people have.
