Re: EMBEDDED PostgreSQL - Mailing list pgsql-general

From Tom Lane
Subject Re: EMBEDDED PostgreSQL
Date
Msg-id 7059.1106688935@sss.pgh.pa.us
Whole thread Raw
In response to Re: EMBEDDED PostgreSQL  (John DeSoi <desoi@pgedit.com>)
Responses Re: EMBEDDED PostgreSQL
List pgsql-general
John DeSoi <desoi@pgedit.com> writes:
>> 2.3) Why do I need a non-administrator account to  run PostgreSQL under?

> Again, I think this is fine as the default, but it would be nice if it
> could be changed with a setting (rather than recompiling the source).
> Not all Windows users are dummies about security and need PostgreSQL to
> enforce security measures beyond those implemented on other platforms.

Sorry, but any Windows user who thinks he doesn't need security measures
equivalent to (not "beyond") minimum Unix practice is a dummy about
security.  Take a look at this LOAD vulnerability we're in the midst of
patching, and ask yourself whether you aren't glad that it can't be used
to get admin privileges on your Windows box.

(John Heasman pointed out to me off-list that the LOAD hole *is* remotely
exploitable on Windows; details left as an exercise for the reader.)

            regards, tom lane

pgsql-general by date:

Previous
From: Tom Lane
Date:
Subject: Re: Extended unit
Next
From: Tom Lane
Date:
Subject: Re: Delete with a multi-column join?