Thread: win32 port
To begin with I am not sure this is a correct place to post this, if not please let me know. The PostgreSQL traditionally refuses to run under root account on Unix (for security reasons). On win32 the situation is the same (it will not run if run under user belonging to administrator group). In my opinion this should not be the case on win32 as developers are likely to belong to the administrators group and might like to run the database under their account. I think that issuing a warning (pop up window) at the start-up of the postmaster would be enough, something like: "Starting under privileged account is considered unsafe. Please consider starting the database server under different user account." Basically, the server should not impose the policy (under windows) giving user the choice. What do you think?
On Wed, Jul 07, 2004 at 02:01:57PM +0100, nobody wrote: > To begin with I am not sure this is a correct place to post this, if not > please let me know. > > The PostgreSQL traditionally refuses to run under root account on Unix (for > security reasons). On win32 the situation is the same (it will not run if > run under user belonging to administrator group). > In my opinion this should not be the case on win32 as developers are likely > to belong to the administrators group and might like to run the database > under their account. Think carefully about this. If the DB runs with admin rights, you've just given any person who connects to the database full rights to read and write any file on disk. Look at the COPY IN/OUT command and the lo_import/export() functions. They run with the priveledges of the *backend* not the frontend. So any connecting user would be able to lo_import() any file on disk and then display it for perusal. This is why on unix it runs as it's own user. Then it can only read other people's world-readable files. > I think that issuing a warning (pop up window) at the start-up of the > postmaster would be enough, something like: > > "Starting under privileged account is considered unsafe. Please consider > starting the database server under different user account." Eeeuw, pop-up windows for a database server. No doubt it should stop the database starting up waiting for someone to press OK. Very useful (*not*) if you want to start the database from a script on a remote machine. Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.
Attachment
On Wed, Jul 07, 2004 at 02:01:57PM +0100, nobody wrote: > The PostgreSQL traditionally refuses to run under root account on Unix (for > security reasons). On win32 the situation is the same (it will not run if > run under user belonging to administrator group). > In my opinion this should not be the case on win32 as developers are likely > to belong to the administrators group and might like to run the database > under their account. Nah, this has been proposed and rejected at least a couple of times already. The reason is that Postgres does not want to be the next worm-causing program out there. Sloppy security on the grounds of ease of use is exactly the reason why Microsoft products are full of security programs. There's a reason for refusing to run as root on Unix, and the same reason holds on Windows. Much more strongly, I might add. -- Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) "Hay quien adquiere la mala costumbre de ser infeliz" (M. A. Evans)
hello martijn,
maybe there are good reasons for both opinions - yours and "nobodys" (btw not too good a name...):
when postgresql should be running in production-systems running the database as root would be suicide (maybe running on most windows-envirionments too...). so this should be prevented.
but: if i do "just" programming and i want to run postgresql besides my ide to create/test my wonderful programming ideas there should be just the ability to run postgresql with any user - even with root. otherwise i must login to my computer as special postgresql-user to run postgresql but maybe don't have all rights to work with my ide and other programming-tools.
so there should be an easy solution for both!
greetings
hans
Martijn van Oosterhout schrieb:
maybe there are good reasons for both opinions - yours and "nobodys" (btw not too good a name...):
when postgresql should be running in production-systems running the database as root would be suicide (maybe running on most windows-envirionments too...). so this should be prevented.
but: if i do "just" programming and i want to run postgresql besides my ide to create/test my wonderful programming ideas there should be just the ability to run postgresql with any user - even with root. otherwise i must login to my computer as special postgresql-user to run postgresql but maybe don't have all rights to work with my ide and other programming-tools.
so there should be an easy solution for both!
greetings
hans
Martijn van Oosterhout schrieb:
On Wed, Jul 07, 2004 at 02:01:57PM +0100, nobody wrote:To begin with I am not sure this is a correct place to post this, if not please let me know. The PostgreSQL traditionally refuses to run under root account on Unix (for security reasons). On win32 the situation is the same (it will not run if run under user belonging to administrator group). In my opinion this should not be the case on win32 as developers are likely to belong to the administrators group and might like to run the database under their account.Think carefully about this. If the DB runs with admin rights, you've just given any person who connects to the database full rights to read and write any file on disk. Look at the COPY IN/OUT command and the lo_import/export() functions. They run with the priveledges of the *backend* not the frontend. So any connecting user would be able to lo_import() any file on disk and then display it for perusal. This is why on unix it runs as it's own user. Then it can only read other people's world-readable files.I think that issuing a warning (pop up window) at the start-up of the postmaster would be enough, something like: "Starting under privileged account is considered unsafe. Please consider starting the database server under different user account."Eeeuw, pop-up windows for a database server. No doubt it should stop the database starting up waiting for someone to press OK. Very useful (*not*) if you want to start the database from a script on a remote machine. Have a nice day,
On Sat, Jul 10, 2004 at 10:48:59AM +0200, zuhans@iname.com wrote: > when postgresql should be running in production-systems running the > database as root would be suicide (maybe running on most > windows-envirionments too...). so this should be prevented. > > but: if i do "just" programming and i want to run postgresql besides my > ide to create/test my wonderful programming ideas there should be just > the ability to run postgresql with any user - even with root. otherwise > i must login to my computer as special postgresql-user to run postgresql > but maybe don't have all rights to work with my ide and other > programming-tools. Err? Ok, I'm not too familiar with windows but surely it's possible to run a server as another user. For me (on Linux mind you) all such servers are started on bootup and several of them have their own user accounts. Unless you are considering running postgresql from your development environment. Surely you run the server as it's own user. The user programs and command interface can run as any user. Just run it as a service (i think that's the right term), you're the admin, right? Hope this helps, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.
Attachment
hello martijn,
i know, on linux this is really a lot easier and the os is by far more advanced than windows (my opinion) - especially concerning the issue "user". but...
...i have little experience in linux and i work on windows.
...and i don't want to run postgresql as service - there are so many services in windows (xp) running - every piece of software installs some more or less dubious things in memory... - that the overall system-speed is decreasing a lot the longer you run your computer.
...and - as far as i can see - to handle users is a young and not easy to use feature in most windows-systems. as you surely know, windows was mostly a one-user-system (just root). that made life easy but very dangerous. nowadays i can create users but lots of windows-programs still rely on beeing root (beginning from installation and ending with using them). so many programs must be started - every time! - with su-user-rights. so, if you made your windows-system more secure in creating (and running your system as) a more restricted user, you always have to enter "su". this makes you wonder, if the system is then more secure any more on the one side, and after several times of working like this, you wish your system back to old-style just to have an easy way for working again on the other side.
all this is much more a problem, if ones computer/laptop is not only for oneselfe but for all the other family-members too. e.g. you make a restricted user for your children (not so much for your wife...) then you have to either run to them, every time they want to run programs to enter "su" or you give them "su"-infos - now try to decide yourselfe.
this is a problem for windows user - and for programmers on windows too.
so - back to the problem again: why couldn't there be - just for testing and programming purposes!! - a way to start postgresql even with root (and maybe - as "nobody" proposed - with that info-popup-window at the beginning as a good reminder for somebody who would really try to make this a production system)?
greetings from rainy salzburg/austria
hans
Martijn van Oosterhout schrieb:
i know, on linux this is really a lot easier and the os is by far more advanced than windows (my opinion) - especially concerning the issue "user". but...
...i have little experience in linux and i work on windows.
...and i don't want to run postgresql as service - there are so many services in windows (xp) running - every piece of software installs some more or less dubious things in memory... - that the overall system-speed is decreasing a lot the longer you run your computer.
...and - as far as i can see - to handle users is a young and not easy to use feature in most windows-systems. as you surely know, windows was mostly a one-user-system (just root). that made life easy but very dangerous. nowadays i can create users but lots of windows-programs still rely on beeing root (beginning from installation and ending with using them). so many programs must be started - every time! - with su-user-rights. so, if you made your windows-system more secure in creating (and running your system as) a more restricted user, you always have to enter "su". this makes you wonder, if the system is then more secure any more on the one side, and after several times of working like this, you wish your system back to old-style just to have an easy way for working again on the other side.
all this is much more a problem, if ones computer/laptop is not only for oneselfe but for all the other family-members too. e.g. you make a restricted user for your children (not so much for your wife...) then you have to either run to them, every time they want to run programs to enter "su" or you give them "su"-infos - now try to decide yourselfe.
this is a problem for windows user - and for programmers on windows too.
so - back to the problem again: why couldn't there be - just for testing and programming purposes!! - a way to start postgresql even with root (and maybe - as "nobody" proposed - with that info-popup-window at the beginning as a good reminder for somebody who would really try to make this a production system)?
greetings from rainy salzburg/austria
hans
Martijn van Oosterhout schrieb:
On Sat, Jul 10, 2004 at 10:48:59AM +0200, zuhans@iname.com wrote:when postgresql should be running in production-systems running the database as root would be suicide (maybe running on most windows-envirionments too...). so this should be prevented. but: if i do "just" programming and i want to run postgresql besides my ide to create/test my wonderful programming ideas there should be just the ability to run postgresql with any user - even with root. otherwise i must login to my computer as special postgresql-user to run postgresql but maybe don't have all rights to work with my ide and other programming-tools.Err? Ok, I'm not too familiar with windows but surely it's possible to run a server as another user. For me (on Linux mind you) all such servers are started on bootup and several of them have their own user accounts. Unless you are considering running postgresql from your development environment. Surely you run the server as it's own user. The user programs and command interface can run as any user. Just run it as a service (i think that's the right term), you're the admin, right? Hope this helps,
On Sat, Jul 10, 2004 at 12:22:42PM +0200, zuhans@iname.com wrote: > ...and i don't want to run postgresql as service - there are so many > services in windows (xp) running - every piece of software installs some > more or less dubious things in memory... - that the overall system-speed > is decreasing a lot the longer you run your computer. There has to be a way of having a service configured not to run automatically at boot, and run it by hand, isn't there? Windows people would know better than me, but I think you can do these things using "NET START" or something like that. -- Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) "La victoria es para quien se atreve a estar solo"
Alvaro Herrera <alvherre@dcc.uchile.cl> wrote: > On Sat, Jul 10, 2004 at 12:22:42PM +0200, zuhans@iname.com wrote: > > > ...and i don't want to run postgresql as service - there are so many > > services in windows (xp) running - every piece of software installs some > > more or less dubious things in memory... - that the overall system-speed > > is decreasing a lot the longer you run your computer. > > There has to be a way of having a service configured not to run > automatically at boot, and run it by hand, isn't there? > > Windows people would know better than me, but I think you can do these > things using "NET START" or something like that. The GUI service control manager app lets you set these values. Startup options such as automatic, manual, and disable exist. You can also manually start/stop services from the GUI interface. I believe Win2K3 now has CLI tools for this as well, but I don't know the details. -- Bill Moran Potential Technologies http://www.potentialtech.com
Hallo Hans, zuhans@iname.com wrote: > ...i have little experience in linux and i work on windows. I don't know the current state of the Windows port (PG 7.5) but as I understood it currently won't run as service at all. For getting a service you need to go with cygwin ... I didn't test it, but at least since Windows 2000 there is a command "runas" that can RUN programs AS other users. You can use it even with the desktop, when you hold SHIFT and right-click a program. > ...and - as far as i can see - to handle users is a young and not easy > to use feature in most windows-systems. "young" as in it's teens ;) Windows NT => 2000 => XP => ... had user-accounts for years and the access rights are nicely configurable. You can even take away Administrator's rights to access directories or files, though in most cases he can set it back himself. This way you can prevent accidentally erasing stuff.
> > ...i have little experience in linux and i work on windows. > > > I don't know the current state of the Windows port (PG 7.5) > but as I understood it currently won't run as service at all. > For getting a service you need to go with cygwin ... Current snapshots have full service integration - has had for quite a while. The integratino happens through pg_ctl, so run that command to get the parameters required to install the service. > I didn't test it, but at least since Windows 2000 there is a > command "runas" that can RUN programs AS other users. > You can use it even with the desktop, when you hold SHIFT and > right-click a program. This command works just fine - this is how I start my dev version. You can also specify it directly on the shortcut so it will always pop up. It exists in 2000, XP and 2003. (And Longhorn, but let's run one development snapshot at a time..) //Magnus