hello martijn,
maybe there are good reasons for both opinions - yours and "nobodys" (btw not too good a name...):
when postgresql should be running in production-systems running the database as root would be suicide (maybe running on most windows-envirionments too...). so this should be prevented.
but: if i do "just" programming and i want to run postgresql besides my ide to create/test my wonderful programming ideas there should be just the ability to run postgresql with any user - even with root. otherwise i must login to my computer as special postgresql-user to run postgresql but maybe don't have all rights to work with my ide and other programming-tools.
so there should be an easy solution for both!
greetings
hans
Martijn van Oosterhout schrieb:
On Wed, Jul 07, 2004 at 02:01:57PM +0100, nobody wrote:
To begin with I am not sure this is a correct place to post this, if not
please let me know.
The PostgreSQL traditionally refuses to run under root account on Unix (for
security reasons). On win32 the situation is the same (it will not run if
run under user belonging to administrator group).
In my opinion this should not be the case on win32 as developers are likely
to belong to the administrators group and might like to run the database
under their account.
Think carefully about this. If the DB runs with admin rights, you've
just given any person who connects to the database full rights to read
and write any file on disk. Look at the COPY IN/OUT command and the
lo_import/export() functions. They run with the priveledges of the
*backend* not the frontend. So any connecting user would be able to
lo_import() any file on disk and then display it for perusal.
This is why on unix it runs as it's own user. Then it can only read
other people's world-readable files.
I think that issuing a warning (pop up window) at the start-up of the
postmaster would be enough, something like:
"Starting under privileged account is considered unsafe. Please consider
starting the database server under different user account."
Eeeuw, pop-up windows for a database server. No doubt it should stop
the database starting up waiting for someone to press OK. Very useful
(*not*) if you want to start the database from a script on a remote
machine.
Have a nice day,
