Re: Run-as-admin warning for win32 - Mailing list pgsql-patches

From Mark Cave-Ayland
Subject Re: Run-as-admin warning for win32
Date
Msg-id 8F4A22E017460A458DB7BBAB65CA6AE50265BD@openmanage
Whole thread Raw
In response to Run-as-admin warning for win32  ("Magnus Hagander" <mha@sollentuna.net>)
Responses Re: Run-as-admin warning for win32  (Bruce Momjian <pgman@candle.pha.pa.us>)
List pgsql-patches

> -----Original Message-----
> From: pgsql-patches-owner@postgresql.org
> [mailto:pgsql-patches-owner@postgresql.org] On Behalf Of Bruce Momjian
> Sent: 04 May 2004 16:08
> To: Magnus Hagander
> Cc: Tom Lane; Andrew Dunstan; pgsql-patches@postgresql.org
> Subject: Re: [PATCHES] Run-as-admin warning for win32
>
>
> Magnus Hagander wrote:
> > > > The installer-skeleton I have right now permits
> > > installation as local
> > > > system but recommends a user account. But that's just
> > > functionality to
> > > > remove, so that's easily done. In the other case, it prompts for
> > > > username and password to run as.
> > >
> > > How would it install on an XP laptop?  If I am logged in as
> > > myself and I am listed as a "Computer Administrator", do I
> > > need to create another user, and how do I do the install as
> > > that other user, and start/stop the server, and stuff like that?
> >
> > Yes, you need to create another user.
> > When running as a service, just tell the installer. It
> should set up
> > required permissions. Then start the service as normal using the
> > Service Control Manager.
> >
> > When running manually, you will have to grant the postgres user the
> > required permissions on the PGDATA directory. Then you can
> start the
> > server using "runas".
>
> Ewe, big on security, small on ease-of-use.  :-)
>
> I have never had to create a user to install any other
> software on my laptop.


Just listening in on this thread.... I would be inclined to agree that
the Win32 PostgeSQL should run under its own user given the history of
Windows security. FWIW I know that Installshield (one of the most
popular installers) and the default settings for MSI mean that only
administrators can install software; so I would argue that there is no
reason why the PostgreSQL installer also shouldn't require administrator
privilege to run, and therefore create the postgres user account for us.

I think that most of the services installed under Win32 use a separate
username and password. The last installer I used that required a
username and password was for a backup service and then it was simply a
page in the installer that asked for a username and password to run
under; both of these were set to defaults so all I had to do was click
"Next" and the account was generated for me and the directory
permissions set up correctly. This has the balance that the novice user
will just click "Next" while the advanced user can set up a customised
account to meet his/her needs.

In the case of a stand-alone executable, I can see things being a little
more tricky; however I don't see there being any reason why when we
launch the backend we try the default username and password (postgres
and "") and if that doesn't work then we ask for a new username and
password from the user. I would see that this wouldn't be done in the
backend but in the equivalent of the /etc/init.d/postgresql script under
Win32. If people really got upset about asking for the account password
on startup then I guess they would have to go for the service
installation - I see this as being no different to the inconvenience of
asking for a PEM passphrase when we restart Apache on our Linux servers.

Finally I believe we can tighten up security from SMB/RPC-based exploits
by applying the "can only logon locally" policy to the postgres account
which means that SMB/RPC connections cannot be made with the default
PostgreSQL username and password which is always a good thing :)


Kind regards,

Mark.

---

Mark Cave-Ayland
Webbased Ltd.
Tamar Science Park
Derriford
Plymouth
PL6 8BX
England

Tel: +44 (0)1752 764445
Fax: +44 (0)1752 764446


This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender. You
should not copy it or use it for any purpose nor disclose or distribute
its contents to any other person.



pgsql-patches by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: Run-as-admin warning for win32
Next
From: Bruce Momjian
Date:
Subject: Re: Run-as-admin warning for win32