> > > I don't understand why an user can't WILLINGLY (by EXPLICITLY
> > > setting an
> > > OPTION) allow a privileged administrator to run PostGre.
> >
> > Well, to start with, it increases the support costs of the
> product as
> > a whole to the community. Adding an option with severe security
> > implications is not free, at least not if you want to be reasonably
> > diligent about minimizing and documenting the risks. Generally the
> > community tries to take that seriously, so IMHO just assuming that
> > anyone who sets it knows the risks isn't acceptable.
> >
> > Why don't we actually start looking at the actual
> implications and see
> > what we can do about them, rather than either assuming they're too
> > great or too minimal. Maybe we'll come up with solutions to current
> > problems as well.
>
> To expand on that, someone has suggested the use of runas, so
> it would be good to see how that works.
>
> The problem here isn't that PostgreSQL refuses to run with
> admin privledges, it's that the Windows security model is
> brain-dead. IF it can be shown that there is no reasonable
> way around Windows 'security'
> and IF there is enough demand from users then the community
> might consider a hack that allows running PostgreSQL from an
> admin account.
There is *NOTHING* wrong with the model in this case. It's the specific
implementation of the mdoel that is broken.
If you assign every user uid "0" in Unix, I beleive you'd get the same
problem as when you assign every user an admin on windows... Both are
equally stupid. There's just more software on windows that is designed
for such stupid environments, but it's not in the security model itself.
If it was in the actual security model, we'd have to do something.
//Magnus