Re: Running PostGre on DVD - Mailing list pgsql-hackers

From Magnus Hagander
Subject Re: Running PostGre on DVD
Date
Msg-id 6BCB9D8A16AC4241919521715F4D8BCE6C7BCC@algol.sollentuna.se
Whole thread Raw
In response to Running PostGre on DVD  (eric.leguillier@mpsa.com)
Responses Re: Running PostGre on DVD
List pgsql-hackers
> > > Why do you need to run PostgreSQL as admin? There
> shouldn't be any
> > > need for this.
> >
> > Actually I've run into a scenario where this was needed. I'm not a
> > Windows expert, so there might be some way to get around this:
> >
> > I have a localadmin account on the workstation(which is a
> member of a domain).
> > As this localadmin(with full local administrative privileges) I
> > created a local user "postgres" to run PostgreSQL as. The
> problem was
> > that the policy for the domain the machine was a member of(which
> > obviously overrides local
> > settings) prevented this new local user to have "local
> login" privileges.
>
> Typical windows, can't give up admin priveliges even if you want to.

Huh. The stated problem is that the low privilege account does *not*
have the required privilege (to log in).
Note that PostgreSQL doesn't really require "log on locally" for
anything other than initdb. So if you can initdb on a different box and
copy it there, or somehow get the permissions temporarily, the server
will workf ine. The server only requires "Log in as a service".

The best way to fix it is of course if you can have the domain guys
grant your local account the login locally right. If not, perhaps they
can set you up with a low-priv domain account to run the service under?
(I assume you are not the domain admin guy, or this would have already
been fixed...)


If the security is set up so that you can use a local *admin* acconut
but not a local *nonadmin* accuont, then your domain people really need
to look over their security policies, because they are very very broken
indeed.


> All jokes aside, doesn't "runas" allow you to start a program
> as another user?

It does, but this still requires that this user have the right to log
in, which is the problem in this case it seems.

/Magnus


pgsql-hackers by date:

Previous
From: Csaba Nagy
Date:
Subject: Re: someone working to add merge?
Next
From: Martijn van Oosterhout
Date:
Subject: Re: Running PostGre on DVD