Re: Initdb fails... Again! - Mailing list pgsql-cygwin

From Jason Tishler
Subject Re: Initdb fails... Again!
Date
Msg-id 20030127214438.GF2124@tishler.net
Whole thread Raw
In response to Re: Initdb fails... Again!  ("Markko Paas" <Markko@softronic.ee>)
Responses Re: Initdb fails... Again!
List pgsql-cygwin
Dan,

On Mon, Jan 27, 2003 at 10:10:55PM +0100, Dan Holmsand wrote:
> There are some (important, IMHO) advantages to run init as uid 0
> (a.k.a.  root), instead of as LocalSystem:

Not really, see below...

> 1) You can log on as root. More importantly, you can use W2K's "Run
> as" utility to run e.g. rxvt as root, and execute init scripts
> interactively (as in "/etc/rc.d/init.d/sshd restart").

You *can* log on as LocalSystem via ssh:

1. Replace the following /etc/passwd line:

    SYSTEM:*:18:544:,S-1-5-18::

with something like:

    SYSTEM:*:18:18:Local System,U-TISHLERJASON\LocalSystem,S-1-5-18:/home/system:/bin/bash

2. Add your keys to ~system/.ssh/authorized_keys

3. ssh system@localhost

There is also cmdasuser:

    http://www.develop.com/kbrown/security/sample_cmdasuser.htm

which can switch user to LocalSystem too.

> That makes life a *lot* easier when debugging, temporarily disabling
> services, etc. Executing typical sysv init scripts as another user,
> e.g.  "Administrator", will result in failure or disaster (depending
> on script and privileges).

See above.

> 2) You can use su when running as root. Also makes life a lot easier:
> just say "su postgres -c 'psql template1'" to administer postgresql.

Ditto.

> 3) You probably *gain* some security. Many (most?) unix daemons behave
> differently when run as uid 0, in order to prevent certain exploits or
> configuration errors when running as root. Just one example: apache
> (wisely) refuses to run with "User root" in httpd.conf, but happily
> accepts "User system".
>
> Unless such programs are really, really carefully ported to Cygwin,
> you get a security hole when running them as uid 18 (i.e. "SYSTEM").

Then those ports (e.g., apache) are broken and should be fixed.  For
example, my fetchmail, procmail, and vsftpd ports recognized uid 18 as
the root uid and behave accordingly.

> 4) It just feels a bit more unixy :-)

I guess so, but when in Rome... :,)

Jason

--
PGP/GPG Key: http://www.tishler.net/jason/pubkey.asc or key servers
Fingerprint: 7A73 1405 7F2B E669 C19D  8784 1AFD E4CC ECF4 8EF6

pgsql-cygwin by date:

Previous
From: John Smith
Date:
Subject: Re: postmaster does not shutdown
Next
From: "David Kirol"
Date:
Subject: Plperl, createlang fails