Andrew Dunstan wrote:
>Merlin Moncure said:
>
>
>>Steve Tibbett wrote:
>>
>>
>>>It is normal on Windows for users to have admin rights on the local
>>>system. As much as this needs to be changed, you're not going to
>>>change it. If you insist on not running on an account with admin
>>>rights, you're just going to frustrate users
>>>
>>>You could say "Windows is inherently insecure; refusing to run". That
>>>would make the port much simpler. :)
>>>
>>>A warning is appropriate I think.. but refusing to run is going
>>>overboard. Just my two cents.
>>>
>>>
>>I disagree completely. Opening a tcp/ip server with this level of
>>complexity for root access is a recipe for disaster. Wait until an
>>exploit pops up and hundreds of win32 boxes get rooted. This would be
>>a huge embarrassment and would be awful press. Do you really want to
>>allow for this scenario?
>>
>>
>>
>
>One compromise might be that we refuse to run with elevated privs on Windows
>if configured to listen on more than localhost. Then developers with admin
>privs could play happily, but server admins would need to do the Right Thing
>(tm). Of course, if another local service could be induced to do bad things
>via postgres that would be no protection, but at least we would not be the
>primary attack vector.
>
>
>
A sql injection vulnerability in an application could still compromise
the local machine. It's better to be safe than sorry.
