Thread: win32 port

win32 port

From
"nobody"
Date:
To begin with I am not sure this is a correct place to post this, if not
please let me know.

The PostgreSQL traditionally refuses to run under root account on Unix (for
security reasons). On win32 the situation is the same (it will not run if
run under user belonging to administrator group).
In my opinion this should not be the case on win32 as developers are likely
to belong to the administrators group and might like to run the database
under their account.

I think that issuing a warning (pop up window) at the start-up of the
postmaster would be enough, something like:

"Starting under privileged account is considered unsafe. Please consider
starting the database server under different user account."

Basically, the server should not impose the policy (under windows) giving
user the choice.

What do you think?



Re: win32 port

From
Martijn van Oosterhout
Date:
On Wed, Jul 07, 2004 at 02:01:57PM +0100, nobody wrote:
> To begin with I am not sure this is a correct place to post this, if not
> please let me know.
>
> The PostgreSQL traditionally refuses to run under root account on Unix (for
> security reasons). On win32 the situation is the same (it will not run if
> run under user belonging to administrator group).
> In my opinion this should not be the case on win32 as developers are likely
> to belong to the administrators group and might like to run the database
> under their account.

Think carefully about this. If the DB runs with admin rights, you've
just given any person who connects to the database full rights to read
and write any file on disk. Look at the COPY IN/OUT command and the
lo_import/export() functions. They run with the priveledges of the
*backend* not the frontend. So any connecting user would be able to
lo_import() any file on disk and then display it for perusal.

This is why on unix it runs as it's own user. Then it can only read
other people's world-readable files.

> I think that issuing a warning (pop up window) at the start-up of the
> postmaster would be enough, something like:
>
> "Starting under privileged account is considered unsafe. Please consider
> starting the database server under different user account."

Eeeuw, pop-up windows for a database server. No doubt it should stop
the database starting up waiting for someone to press OK. Very useful
(*not*) if you want to start the database from a script on a remote
machine.

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

Attachment

Re: win32 port

From
Alvaro Herrera
Date:
On Wed, Jul 07, 2004 at 02:01:57PM +0100, nobody wrote:

> The PostgreSQL traditionally refuses to run under root account on Unix (for
> security reasons). On win32 the situation is the same (it will not run if
> run under user belonging to administrator group).
> In my opinion this should not be the case on win32 as developers are likely
> to belong to the administrators group and might like to run the database
> under their account.

Nah, this has been proposed and rejected at least a couple of times
already.  The reason is that Postgres does not want to be the next
worm-causing program out there.  Sloppy security on the grounds of ease
of use is exactly the reason why Microsoft products are full of security
programs.

There's a reason for refusing to run as root on Unix, and the same
reason holds on Windows.  Much more strongly, I might add.

--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"Hay quien adquiere la mala costumbre de ser infeliz" (M. A. Evans)


Re: win32 port

From
"zuhans@iname.com"
Date:
hello martijn,

maybe there are good reasons for both opinions - yours and "nobodys" (btw not too good a name...):

when postgresql should be running in production-systems running the database as root would be suicide (maybe running on most windows-envirionments too...). so this should be prevented.

but: if i do "just" programming and i want to run postgresql besides my ide to create/test my wonderful programming ideas there should be just the ability to run postgresql with any user - even with root. otherwise i must login to my computer as special postgresql-user to run postgresql but maybe don't have all rights to work with my ide and other programming-tools.

so there should be an easy solution for both!

greetings
hans

Martijn van Oosterhout schrieb:
On Wed, Jul 07, 2004 at 02:01:57PM +0100, nobody wrote: 
To begin with I am not sure this is a correct place to post this, if not
please let me know.

The PostgreSQL traditionally refuses to run under root account on Unix (for
security reasons). On win32 the situation is the same (it will not run if
run under user belonging to administrator group).
In my opinion this should not be the case on win32 as developers are likely
to belong to the administrators group and might like to run the database
under their account.   
Think carefully about this. If the DB runs with admin rights, you've
just given any person who connects to the database full rights to read
and write any file on disk. Look at the COPY IN/OUT command and the
lo_import/export() functions. They run with the priveledges of the
*backend* not the frontend. So any connecting user would be able to
lo_import() any file on disk and then display it for perusal.

This is why on unix it runs as it's own user. Then it can only read
other people's world-readable files.
 
I think that issuing a warning (pop up window) at the start-up of the
postmaster would be enough, something like:

"Starting under privileged account is considered unsafe. Please consider
starting the database server under different user account."   
Eeeuw, pop-up windows for a database server. No doubt it should stop
the database starting up waiting for someone to press OK. Very useful
(*not*) if you want to start the database from a script on a remote
machine.

Have a nice day, 

Re: win32 port

From
Martijn van Oosterhout
Date:
On Sat, Jul 10, 2004 at 10:48:59AM +0200, zuhans@iname.com wrote:
> when postgresql should be running in production-systems running the
> database as root would be suicide (maybe running on most
> windows-envirionments too...). so this should be prevented.
>
> but: if i do "just" programming and i want to run postgresql besides my
> ide to create/test my wonderful programming ideas there should be just
> the ability to run postgresql with any user - even with root. otherwise
> i must login to my computer as special postgresql-user to run postgresql
> but maybe don't have all rights to work with my ide and other
> programming-tools.

Err? Ok, I'm not too familiar with windows but surely it's possible to
run a server as another user. For me (on Linux mind you) all such
servers are started on bootup and several of them have their own user
accounts.

Unless you are considering running postgresql from your development
environment. Surely you run the server as it's own user. The user
programs and command interface can run as any user.

Just run it as a service (i think that's the right term), you're the
admin, right?

Hope this helps,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

Attachment

Re: win32 port

From
"zuhans@iname.com"
Date:
hello martijn,

i know, on linux this is really a lot easier and the os is by far more advanced than windows (my opinion) - especially concerning the issue "user". but...

...i have little experience in linux and i work on windows.

...and i don't want to run postgresql as service - there are so many services in windows (xp) running - every piece of software installs some more or less dubious things in memory... - that the overall system-speed is decreasing a lot the longer you run your computer.

...and - as far as i can see - to handle users is a young and not easy to use feature in most windows-systems. as you surely know, windows was mostly a one-user-system (just root). that made life easy but very dangerous. nowadays i can create users but lots of windows-programs still rely on beeing root (beginning from installation and ending with using them). so many programs must be started - every time! - with su-user-rights. so, if you made your windows-system more secure in creating (and running your system as) a more restricted user, you always have to enter "su". this makes you wonder, if the system is then more secure any more on the one side, and after several times of working like this, you wish your system back to old-style just to have an easy way for working again on the other side.
all this is much more a problem, if ones computer/laptop is not only for oneselfe but for all the other family-members too. e.g. you make a restricted user for your children (not so much for your wife...) then you have to either run to them, every time they want to run programs to enter "su" or you give them "su"-infos - now try to decide yourselfe.

this is a problem for windows user - and for programmers on windows too.

so - back to the problem again: why couldn't there be - just for testing and programming purposes!! - a way to start postgresql even with root (and maybe - as "nobody" proposed - with that info-popup-window at the beginning as a good reminder for somebody who would really try to make this a production system)?

greetings from rainy salzburg/austria
hans


Martijn van Oosterhout schrieb:
On Sat, Jul 10, 2004 at 10:48:59AM +0200, zuhans@iname.com wrote: 
when postgresql should be running in production-systems running the 
database as root would be suicide (maybe running on most 
windows-envirionments too...). so this should be prevented.

but: if i do "just" programming and i want to run postgresql besides my 
ide to create/test my wonderful programming ideas there should be just 
the ability to run postgresql with any user - even with root. otherwise 
i must login to my computer as special postgresql-user to run postgresql 
but maybe don't have all rights to work with my ide and other 
programming-tools.   
Err? Ok, I'm not too familiar with windows but surely it's possible to
run a server as another user. For me (on Linux mind you) all such
servers are started on bootup and several of them have their own user
accounts.

Unless you are considering running postgresql from your development
environment. Surely you run the server as it's own user. The user
programs and command interface can run as any user.

Just run it as a service (i think that's the right term), you're the
admin, right?

Hope this helps, 

Re: win32 port

From
Alvaro Herrera
Date:
On Sat, Jul 10, 2004 at 12:22:42PM +0200, zuhans@iname.com wrote:

> ...and i don't want to run postgresql as service - there are so many
> services in windows (xp) running - every piece of software installs some
> more or less dubious things in memory... - that the overall system-speed
> is decreasing a lot the longer you run your computer.

There has to be a way of having a service configured not to run
automatically at boot, and run it by hand, isn't there?

Windows people would know better than me, but I think you can do these
things using "NET START" or something like that.

--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"La victoria es para quien se atreve a estar solo"


Re: win32 port

From
Bill Moran
Date:
Alvaro Herrera <alvherre@dcc.uchile.cl> wrote:

> On Sat, Jul 10, 2004 at 12:22:42PM +0200, zuhans@iname.com wrote:
>
> > ...and i don't want to run postgresql as service - there are so many
> > services in windows (xp) running - every piece of software installs some
> > more or less dubious things in memory... - that the overall system-speed
> > is decreasing a lot the longer you run your computer.
>
> There has to be a way of having a service configured not to run
> automatically at boot, and run it by hand, isn't there?
>
> Windows people would know better than me, but I think you can do these
> things using "NET START" or something like that.

The GUI service control manager app lets you set these values.  Startup
options such as automatic, manual, and disable exist.  You can also manually
start/stop services from the GUI interface.

I believe Win2K3 now has CLI tools for this as well, but I don't know
the details.

--
Bill Moran
Potential Technologies
http://www.potentialtech.com

Re: win32 port

From
Andreas
Date:
Hallo Hans,

zuhans@iname.com wrote:

> ...i have little experience in linux and i work on windows.


I don't know the current state of the Windows port (PG 7.5) but as I
understood  it currently won't run as service at all.
For getting a service you need to go with cygwin ...

I didn't test it, but at least since Windows 2000 there is a command
"runas" that can RUN programs AS other users.
You can use it even with the desktop, when you hold SHIFT and
right-click a program.

> ...and - as far as i can see - to handle users is a young and not easy
> to use feature in most windows-systems.

"young" as in it's teens   ;)
Windows NT => 2000 => XP => ...  had user-accounts for years and the
access rights are nicely configurable.

You can even take away Administrator's rights to access directories or
files, though in most cases he can set it back himself.
This way you can prevent accidentally erasing stuff.



Re: win32 port

From
"Magnus Hagander"
Date:
> > ...i have little experience in linux and i work on windows.
>
>
> I don't know the current state of the Windows port (PG 7.5)
> but as I understood  it currently won't run as service at all.
> For getting a service you need to go with cygwin ...

Current snapshots have full service integration - has had for quite a
while. The integratino happens through pg_ctl, so run that command to
get the parameters required to install the service.


> I didn't test it, but at least since Windows 2000 there is a
> command "runas" that can RUN programs AS other users.
> You can use it even with the desktop, when you hold SHIFT and
> right-click a program.

This command works just fine - this is how I start my dev version. You
can also specify it directly on the shortcut so it will always pop up.
It exists in 2000, XP and 2003. (And Longhorn, but let's run one
development snapshot at a time..)



//Magnus