On 9 Jul 2004 at 11:02, Andrew Dunstan wrote:
> >
> > I disagree completely. Opening a tcp/ip server with this level of
> > complexity for root access is a recipe for disaster. Wait until an
> > exploit pops up and hundreds of win32 boxes get rooted. This would be
> > a huge embarrassment and would be awful press. Do you really want to
> > allow for this scenario?
> >
>
> One compromise might be that we refuse to run with elevated privs on Windows
> if configured to listen on more than localhost. Then developers with admin
> privs could play happily, but server admins would need to do the Right Thing
> (tm). Of course, if another local service could be induced to do bad things
> via postgres that would be no protection, but at least we would not be the
> primary attack vector.
>
If the installer is going to create a non-priv user anyway, why not store that
username somewhere (environment/registry etc.) then if the user tries to
run as administrator just issue a message to the effect that postmaster
needs to start as user xxx (e.g. postgres) and prompt the user for the
postgres password. The postmaster should be able to then impersonate the
postgres user or launch the "runas" command/service with the appropriate
parameters. In this way the user can still be administrator, but run
postmaster in a command window with the minimum of fuss.
Even diehard Windows users shouldn't complain too much about that.
The only downside is that this may not work on older NT systems. Most of
the NT4 machines around will be server type machines anyway, not
interactive development type stuff. Postmaster should still refuse to run (as
admin) on this small minority of machines for now. We may eventually find
a way around that too.
Feasible?
Cheers,
Gary.
