Thread: Re: PgSQL not as Administrator - probs on w
> I agree. As do I. > Unfortunately I can't run my normal development user without > admin privileges as quite a bit of the testing needs privileges > for registry, files, debugging etc.. Same here. I think this could be a bit of an annoyance to a lot of novice users... exactly the set we are trying to win over with this port. Let's at least provide an *obvious* command line to override. Cheers, Claudio --- Certain disclaimers and policies apply to all email sent from Memetrics. For the full text of these disclaimers and policies see <a href="http://www.memetrics.com/emailpolicy.html">http://www.memetrics.com/em ailpolicy.html</a>
Claudio Natoli wrote: >>I agree. >> >> > >As do I. > > > > >>Unfortunately I can't run my normal development user without >>admin privileges as quite a bit of the testing needs privileges >>for registry, files, debugging etc.. >> >> > >Same here. I think this could be a bit of an annoyance to a lot of novice >users... exactly the set we are trying to win over with this port. > >Let's at least provide an *obvious* command line to override. > Cmd line option won't be enough, win32 users don't even know there's such a beast... It'll be up to the installer to shout loudly about that option, warning for eternal damnation if using it. Maybe the installer can offer to create a safe user. Regards, Andreas
Andreas Pflug said: > > Cmd line option won't be enough, win32 users don't even know there's > such a beast... It'll be up to the installer to shout loudly about that > option, warning for eternal damnation if using it. Maybe the installer > can offer to create a safe user. > I like that idea a lot more (didn't I suggest something similar a while back? :-) ). Then there is no difference between the rules on Windows vs. Unix, and we teach Windows users sane security practice, and make it easy for them. And we avoid giving Tom a conniption ;-) cheers andrew
Andrew Dunstan wrote: >> >> > >I like that idea a lot more (didn't I suggest something similar a while >back? :-) ). Then there is no difference between the rules on Windows vs. >Unix, and we teach Windows users sane security practice, and make it easy >for them. And we avoid giving Tom a conniption ;-) > > Yes, we should avoid that in any case :-) Still that super luxurious installer will take a while to code. In the meantime, cmd line option? Regards, Andreas
Andreas Pflug <pgadmin@pse-consulting.de> writes:
> Maybe the installer can offer to create a safe user.
That seems like a reasonable compromise to me.
I do *not* wish to allow people to override the safety check. We
periodically get complaints from Unix users that they don't see why
they shouldn't be allowed to start the server as root; we have not
been swayed by those arguments and I do not propose to be swayed
by the Windows variant. Unsafe is unsafe.
regards, tom lane
On 01.07.2004 16:33 Tom Lane wrote: > I do *not* wish to allow people to override the safety check. We > periodically get complaints from Unix users that they don't see why > they shouldn't be allowed to start the server as root; we have not > been swayed by those arguments and I do not propose to be swayed > by the Windows variant. Unsafe is unsafe. "When in Rome..." The problem is that Unix users are used to that concept. Even if I assume that the usual user trying/using Postgres is more experienced then the average Windows user, this is still not the way things are done in Windows. Especially with a desktop computer. I fully understand your point when it comes to production servers, but I'm sure that a lot of people would like to try out Postgres on their desktop and use PG as a desktop database. Those users could be easily be taken aback from using PG in that case. Just my 0.02 EUR Thomas
----- Original Message ----- From: "Thomas Kellerer" <spam_eater@gmx.net> To: <pgsql-hackers-win32@postgresql.org> Sent: Thursday, July 01, 2004 5:35 PM Subject: Re: [pgsql-hackers-win32] PgSQL not as Administrator - probs on w > > > On 01.07.2004 16:33 Tom Lane wrote: > > I do *not* wish to allow people to override the safety check. We > > periodically get complaints from Unix users that they don't see why > > they shouldn't be allowed to start the server as root; we have not > > been swayed by those arguments and I do not propose to be swayed > > by the Windows variant. Unsafe is unsafe. > > "When in Rome..." > > The problem is that Unix users are used to that concept. Even if I assume that > the usual user trying/using Postgres is more experienced then the average > Windows user, this is still not the way things are done in Windows. Especially > with a desktop computer. > I fully understand your point when it comes to production servers, but I'm sure > that a lot of people would like to try out Postgres on their desktop and use PG > as a desktop database. Those users could be easily be taken aback from using PG > in that case. > And You are very right. This is a part from (private) discussion I had with one of the win developers: > The current initdb is broken with "execution of postgresql by user with > administrative rights is not allowed". I think developers are going VERY > overboard with security, by NOT allowing users WITH certain administrative > rights to run postgres - as a feature. > > We can't assume that developers (such as Java webapp developers, who want to > run postgres in their dev environment) have the right to add another user > account. Want to limit the success of native? Surefire way to do it. > > I am not in the community and don't want my first comment to be bitching, > but maybe you can bring that up for me? It seems that the 'linux' way 'scares' some win users :-( Regards !
Darko Prenosil wrote: > > This is a part from (private) discussion I had with one of the win > developers: > >> The current initdb is broken with "execution of postgresql by user with >> administrative rights is not allowed". I think developers are going VERY >> overboard with security, by NOT allowing users WITH certain administrative >> rights to run postgres - as a feature. >> >> We can't assume that developers (such as Java webapp developers, who want to >> run postgres in their dev environment) have the right to add another user >> account. Why can't we assume that? Isn't the right to create users intrinsic to being an administrative user? Jochem
Darko Prenosil wrote: >> Want to limit the success of native? Surefire way to do it. >> >>I am not in the community and don't want my first comment to be bitching, >>but maybe you can bring that up for me? >> >> > >It seems that the 'linux' way 'scares' some win users :-( > > In the win32 user's sight, the current implementation is very dogmatic. While there *has* to be some dogmatism about security, IMHO in the case of account to run pgsql on this is up to the administrator, not us. We should recommend using a separate user, support it in the installer by default as comfortable as possible, but enforcing it is regarded as non-native and thus suspicious in the win32 world. Running as admin is so common for Windows, you'd never see complaints about that aspect. Even programs *requiring* admin rights are widely accepted (with some minor grumbling). It's another universe... Regards, Andreas
Andreas Pflug wrote: > Darko Prenosil wrote: > >>> Want to limit the success of native? Surefire way to do it. >>> >>> I am not in the community and don't want my first comment to be >>> bitching, >>> but maybe you can bring that up for me? >>> >> >> >> It seems that the 'linux' way 'scares' some win users :-( >> >> > > In the win32 user's sight, the current implementation is very > dogmatic. While there *has* to be some dogmatism about security, IMHO > in the case of account to run pgsql on this is up to the > administrator, not us. We should recommend using a separate user, > support it in the installer by default as comfortable as possible, but > enforcing it is regarded as non-native and thus suspicious in the > win32 world. > > Running as admin is so common for Windows, you'd never see complaints > about that aspect. Even programs *requiring* admin rights are widely > accepted (with some minor grumbling). > > It's another universe... > I originally left the 'running as root/administrator' check out of initdb for this reason. However, the flip side is that if nobody ever enforces a better way of doing things nothing will ever change. We don't run as root on Unix for a reason. It's hard to see that that reason applies less in the case of Windows. Are you prepared to take responsibility if someone finds a way to use postgres as a vector to subvert Windows machines? Me either. cheers andrew
On Fri, 09 Jul 2004 08:14:55 -0400, Andrew Dunstan <andrew@dunslane.net> wrote: > I originally left the 'running as root/administrator' check out of > initdb for this reason. However, the flip side is that if nobody ever > enforces a better way of doing things nothing will ever change. We don't > run as root on Unix for a reason. It's hard to see that that reason > applies less in the case of Windows. Are you prepared to take > responsibility if someone finds a way to use postgres as a vector to > subvert Windows machines? Me either. If you're going to try to change the Windows user, rather than try to work with what the Windows user expects, why do a Win32 port at all? Just tell them (as someone here said not that long ago) that you'd be crazy to expect Postgres to work well on Windows and suggest they install Linux. :) It is normal on Windows for users to have admin rights on the local system. As much as this needs to be changed, you're not going to change it. If you insist on not running on an account with admin rights, you're just going to frustrate users You could say "Windows is inherently insecure; refusing to run". That would make the port much simpler. :) A warning is appropriate I think.. but refusing to run is going overboard. Just my two cents. -- Steve Tibbett stevex-pgsql@oakburl.net
On 09.07.2004 14:27 Steve Tibbett wrote: > A warning is appropriate I think.. but refusing to run is going > overboard. Just my two cents. I completely agree with that opion! Thomas
I recently had to run MS Baseline Security analyzer : http://www.microsoft.com/technet/security/tools/mbsahome.mspx on a default SQL Server installation. It was interesting that it produced security alerts about the (default) installation I had performed using a system account : - server run using LocalSystem , recommend running as an unprivileged account Of course most folks will either a) not run this tool, or b) ignore the warning, but if the MS keep getting hammered on the security front, they too may well adopt the "won't run if I am an admin" stance in order to prevent Gartner recommending punters away from SQL Server (like they did with IIS). There are signs that the previous Windows paradigm of "security sacrificed on the alter of user convenience" is drawing to a close (e.g. in Win 2003 default permissions have been altered *away* from "world writable/sharable for everything") You are right - it is going to annoy many users. However there is another way of seeing this. Postgres is on the leading edge for increasing security awareness on the windows platform, and boy is there a need for that! regards Mark Steve Tibbett wrote: > It is normal on Windows for users to have admin rights on the local > >system. As much as this needs to be changed, you're not going to >change it. If you insist on not running on an account with admin >rights, you're just going to frustrate users > >You could say "Windows is inherently insecure; refusing to run". That >would make the port much simpler. :) > >A warning is appropriate I think.. but refusing to run is going >overboard. Just my two cents. > >-- >Steve Tibbett >stevex-pgsql@oakburl.net > >---------------------------(end of broadcast)--------------------------- >TIP 7: don't forget to increase your free space map settings > >
Andreas Pflug <pgadmin@pse-consulting.de> writes:
> Running as admin is so common for Windows, you'd never see complaints
> about that aspect. Even programs *requiring* admin rights are widely
> accepted (with some minor grumbling).
> It's another universe...
Indeed --- a universe where root-level exploits are so common it's not
even funny.
Postgres will *not* be doing this. Can we stop wasting list bandwidth
on the point? There is exactly zero chance of getting any such proposal
past the core committee. End of discussion.
regards, tom lane