Postgres Pro
Downloads
Home   >   mailing lists

Re: Supporting huge pages on Windows - Mailing list pgsql-hackers

From Craig Ringer
Subject Re: Supporting huge pages on Windows
Date
Msg-id CAMsr+YH8E9eBLQA7ug+m9yEC8NxZyX2XVKSXTrkavo==rP0WZQ@mail.gmail.com
Whole thread Raw
In response to Re: Supporting huge pages on Windows  (Andres Freund <andres@anarazel.de>)
Responses Re: Supporting huge pages on Windows  ("Tsunakawa, Takayuki" <tsunakawa.takay@jp.fujitsu.com>)
List pgsql-hackers
Tree view


On 4 Apr. 2017 14:22, "Andres Freund" <andres@anarazel.de> wrote:
On 2017-01-05 03:12:09 +0000, Tsunakawa, Takayuki wrote:
> From: pgsql-hackers-owner@postgresql.org
> > [mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of Magnus Hagander
> > For the pg_ctl changes, we're going from removing all privilieges from the
> > token, to removing none. Are there any other privileges that we should be
> > worried about? I think you may be correct in that it's overkill to do it,
> > but I think we need some more specifics to decide that.
>
> This page lists the privileges.  Is there anyhing you are concerned about?
>
> https://msdn.microsoft.com/ja-jp/library/windows/desktop/bb530716(v=vs.85).aspx

Aren't like nearly all of them a concern?  We gone from having some
containment (not being to create users, shut the system down, ...), to
none.  I do however think there's a fair argument to be made that other
platforms do not have a similar containment (no root, but sudo etc is
still possible), and that the containment isn't super strong.

TBH, anyone who cares about security and runs Win7 or Win2k8 or newer should be using virtual service accounts and managed service accounts.


Those are more like Unix service accounts. Notably they don't need a password, getting rid of some of the management pain that led us to abandon the 'postgres' system user on Windows.

Now that older platforms are EoL and even the oldest that added this feature are also near EoL or in extended maintenance, I think installers should switch to these by default instead of using NETWORK SERVICE.

Then the issue of priv dropping would be a lesser concern anyway.

pgsql-hackers by date:

Previous
From: Dilip Kumar
Date:
Subject: Parallel Bitmap Heap Scan - Prefetch pages are not updated properly
Next
From: Kyotaro HORIGUCHI
Date:
Subject: Re: asynchronous execution