Thread: Re: R?f. : RE: Running PostGre on DVD
> > > I don't understand why an user can't WILLINGLY (by EXPLICITLY > > > setting an > > > OPTION) allow a privileged administrator to run PostGre. > > > > Well, to start with, it increases the support costs of the > product as > > a whole to the community. Adding an option with severe security > > implications is not free, at least not if you want to be reasonably > > diligent about minimizing and documenting the risks. Generally the > > community tries to take that seriously, so IMHO just assuming that > > anyone who sets it knows the risks isn't acceptable. > > > > Why don't we actually start looking at the actual > implications and see > > what we can do about them, rather than either assuming they're too > > great or too minimal. Maybe we'll come up with solutions to current > > problems as well. > > To expand on that, someone has suggested the use of runas, so > it would be good to see how that works. > > The problem here isn't that PostgreSQL refuses to run with > admin privledges, it's that the Windows security model is > brain-dead. IF it can be shown that there is no reasonable > way around Windows 'security' > and IF there is enough demand from users then the community > might consider a hack that allows running PostgreSQL from an > admin account. There is *NOTHING* wrong with the model in this case. It's the specific implementation of the mdoel that is broken. If you assign every user uid "0" in Unix, I beleive you'd get the same problem as when you assign every user an admin on windows... Both are equally stupid. There's just more software on windows that is designed for such stupid environments, but it's not in the security model itself. If it was in the actual security model, we'd have to do something. //Magnus
On Tue, Nov 15, 2005 at 05:33:38PM +0100, Magnus Hagander wrote: > There is *NOTHING* wrong with the model in this case. It's the specific > implementation of the mdoel that is broken. > If you assign every user uid "0" in Unix, I beleive you'd get the same > problem as when you assign every user an admin on windows... Both are > equally stupid. There's just more software on windows that is designed > for such stupid environments, but it's not in the security model itself. > If it was in the actual security model, we'd have to do something. Actually, no. In UNIX is you are running as user 0, you can su to any other user ID, even if they don't exist. You can set it up so you can never go back, a trapdoor basically. Under linux you can even give up all sorts of priveledges without changing your UID. The difference with Windows appears to be that you can't willingly restrict your own priveledges without creating another user and switching to them. For example, does the windows model allow you to say (without creating a new user): I irrevocably restrict my access to files owned by user X for this process *only*. Or to files under subdirectory Y. Or I irrevocably restrict my access to open new network sockets. Or irrevocably restrict my access to create new users. If this is possible then a patch might be accepted that would allow you to run as "admin" but only after giving up all the rights that aren't actually needed. If you can't do this, I'd call the model flawed. Have a ncie day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.