Here is the email I have.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  [EMAIL PROTECTED]               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
>From [EMAIL PROTECTED] Mon May  3 17:08:51 2004
Return-path: <[EMAIL PROTECTED]>
Received: from postgresql.org (svr1.postgresql.org [200.46.204.71])
        by candle.pha.pa.us (8.11.6/8.11.6) with ESMTP id i43L8nu29158
        for <[EMAIL PROTECTED]>; Mon, 3 May 2004 17:08:50 -0400 (EDT)
X-Original-To: [EMAIL PROTECTED]
Received: from localhost (unknown [200.46.204.2])
        by svr1.postgresql.org (Postfix) with ESMTP id CB710D1EF8F
        for <[EMAIL PROTECTED]>; Mon,  3 May 2004 18:05:28 -0300 (ADT)
Received: from svr1.postgresql.org ([200.46.204.71])
        by localhost (neptune.hub.org [200.46.204.2]) (amavisd-new, port 10024)
        with ESMTP id 42915-10
        for <[EMAIL PROTECTED]>;
        Mon,  3 May 2004 18:05:14 -0300 (ADT)
Received: from mx-2.sollentuna.net (mx-2.sollentuna.net [195.84.163.199])
        by svr1.postgresql.org (Postfix) with ESMTP id 4F9B6D1EF4C
        for <[EMAIL PROTECTED]>; Mon,  3 May 2004 18:05:07 -0300 (ADT)
Received: from ALGOL.sollentuna.se (janus-en.sollentuna.se [195.84.163.194])
        by mx-2.sollentuna.net (Postfix) with ESMTP id 23B618F2F4
        for <[EMAIL PROTECTED]>; Mon,  3 May 2004 20:59:38 +0200 (CEST)
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----_=_NextPart_001_01C43140.C81FB140"
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Subject: [PATCHES] Run-as-admin warning for win32
Date: Mon, 3 May 2004 20:59:37 +0200
Message-ID: <[EMAIL PROTECTED]>
X-MS-Has-Attach: yes
Thread-Topic: Run-as-admin warning for win32
Thread-Index: AcQxQMgHMvYqdZrlRw+gl7lC+Xi5CQ==
From: "Magnus Hagander" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
X-Virus-Scanned: by amavisd-new at postgresql.org
X-Mailing-List: pgsql-patches
Precedence: bulk
Sender: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on 
        candle.pha.pa.us
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
        version=2.61
Status: OR

This is a multi-part message in MIME format.

------_=_NextPart_001_01C43140.C81FB140
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

For review, comments and possible application to HEAD.

This code implements a warning when the postmaster is started as a
high-privilege account on win32 (administrator or power users).
Previously, postgresql has exited out on Unix when running as root -
this is a similar check, with the following differences:

* We do a ereport(WARNING) instead of exitting out. The reason for this
is that we can expect there are win32 admins that will want to run the
server with a high privilege account. Just sending a warning will permit
this (say, when debugging etc, or if people are just too lazy to care),
while clearly stating it's not a recommended way to do it.

* The Unix check is directly in main.c. We cannot do this on win32,
because at this stage we can only printf and exit. Win32 needs ereport.
Consider when runinng as a service - before we have loaded up
postgresql.conf and noticed we should write to the eventlog, we cannot
inform the user in any way (stderr =3D /dev/null from a service by
default). Therefor, the win32 check is in PostmasterMain. There might be
a slightly better place to put it, not 100% sure about that..


The win32 specific code is mainly in the file security.c to go in
src/backend/port/win32.


//Magnus


=20
 <<security.c>>  <<admin_warning.patch>>=20

------_=_NextPart_001_01C43140.C81FB140
Content-Type: application/octet-stream;
        name="security.c"
Content-Transfer-Encoding: base64
Content-Description: security.c
Content-Disposition: attachment;
        filename="security.c"

LyotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCiAqCiAqIHNlY3VyaXR5
LmMKICogICAgTWljcm9zb2Z0IFdpbmRvd3MgV2luMzIgU2VjdXJpdHkgU3Vw
cG9ydCBGdW5jdGlvbnMKICoKICogUG9ydGlvbnMgQ29weXJpZ2h0IChjKSAx
OTk2LTIwMDMsIFBvc3RncmVTUUwgR2xvYmFsIERldmVsb3BtZW50IEdyb3Vw
CiAqCiAqIElERU5USUZJQ0FUSU9OCiAqCSAgJFBvc3RncmVTUUwkCiAqCiAq
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQogKi8KCiNpbmNsdWRlICJw
b3N0Z3Jlcy5oIgoKLyoKICogUmV0dXJucyBub256ZXJvIGlmIHRoZSBjdXJy
ZW50IHVzZXIgaGFzIGFkbWluaXN0cmF0aXZlIHByaXZpbGVnZXMsCiAqIG9y
IHplcm8gaWYgbm90LgogKi8KaW50IHBnd2luMzJfaXNfYWRtaW4odm9pZCkg
ewoJSEFORExFIEFjY2Vzc1Rva2VuOwoJVUNIQVIgSW5mb0J1ZmZlclsxMDI0
XTsKCVBUT0tFTl9HUk9VUFMgR3JvdXBzID0gKFBUT0tFTl9HUk9VUFMpSW5m
b0J1ZmZlcjsgCglEV09SRCBJbmZvQnVmZmVyU2l6ZTsKCVBTSUQgQWRtaW5p
c3RyYXRvcnNTaWQ7CglQU0lEIFBvd2VyVXNlcnNTaWQ7CglTSURfSURFTlRJ
RklFUl9BVVRIT1JJVFkgTnRBdXRob3JpdHkgPSB7IFNFQ1VSSVRZX05UX0FV
VEhPUklUWSB9OyAKCVVJTlQgeDsKCUJPT0wgc3VjY2VzczsKCQoJaWYoIU9w
ZW5Qcm9jZXNzVG9rZW4oR2V0Q3VycmVudFByb2Nlc3MoKSxUT0tFTl9SRUFE
LCZBY2Nlc3NUb2tlbikpCgkJZXJlcG9ydChGQVRBTCwKCQkJCShlcnJtc2df
aW50ZXJuYWwoIkZhaWxlZCB0byBvcGVuIHByb2Nlc3MgdG9rZW46ICVpIiwo
aW50KUdldExhc3RFcnJvcigpKSkpOwoKCWlmICghR2V0VG9rZW5JbmZvcm1h
dGlvbihBY2Nlc3NUb2tlbixUb2tlbkdyb3VwcyxJbmZvQnVmZmVyLAoJCQkJ
CQkJIDEwMjQsICZJbmZvQnVmZmVyU2l6ZSkpCgkJZXJlcG9ydChGQVRBTCwK
CQkJCShlcnJtc2dfaW50ZXJuYWwoIkZhaWxlZCB0byBnZXQgdG9rZW4gaW5m
b3JtYXRpb246ICVpIiwoaW50KUdldExhc3RFcnJvcigpKSkpOwoKCUNsb3Nl
SGFuZGxlKEFjY2Vzc1Rva2VuKTsKCglpZighQWxsb2NhdGVBbmRJbml0aWFs
aXplU2lkKCZOdEF1dGhvcml0eSwgMiwKCQkJCQkJCQkgU0VDVVJJVFlfQlVJ
TFRJTl9ET01BSU5fUklELERPTUFJTl9BTElBU19SSURfQURNSU5TLCAwLCAw
LCAwLCAwLCAwLAoJCQkJCQkJCSAwLCZBZG1pbmlzdHJhdG9yc1NpZCkpCgkJ
ZXJlcG9ydChGQVRBTCwKCQkJCShlcnJtc2dfaW50ZXJuYWwoIkZhaWxlZCB0
byBnZXQgU0lEIGZvciBBZG1pbmlzdHJhdG9ycyBncm91cDogJWkiLChpbnQp
R2V0TGFzdEVycm9yKCkpKSk7CgkKCWlmICghQWxsb2NhdGVBbmRJbml0aWFs
aXplU2lkKCZOdEF1dGhvcml0eSwgMiwKCQkJCQkJCQkgIFNFQ1VSSVRZX0JV
SUxUSU5fRE9NQUlOX1JJRCxET01BSU5fQUxJQVNfUklEX1BPV0VSX1VTRVJT
LCAwLCAwLCAwLCAwLCAwLAoJCQkJCQkJCSAgMCwgJlBvd2VyVXNlcnNTaWQp
KQoJCWVyZXBvcnQoRkFUQUwsCgkJCQkoZXJybXNnX2ludGVybmFsKCJGYWls
ZWQgdG8gZ2V0IFNJRCBmb3IgUG93ZXJVc2VycyBncm91cDogJWkiLChpbnQp
R2V0TGFzdEVycm9yKCkpKSk7CgkKCXN1Y2Nlc3MgPSBGQUxTRTsKCQoJZm9y
ICh4PTA7IHg8R3JvdXBzLT5Hcm91cENvdW50OyB4KyspCgl7CgkJaWYoIEVx
dWFsU2lkKEFkbWluaXN0cmF0b3JzU2lkLCBHcm91cHMtPkdyb3Vwc1t4XS5T
aWQpIHx8CgkJCUVxdWFsU2lkKFBvd2VyVXNlcnNTaWQsIEdyb3Vwcy0+R3Jv
dXBzW3hdLlNpZCkpCgkJewoJCQlzdWNjZXNzID0gVFJVRTsKCQkJYnJlYWs7
CgkJfQoJfQoJCglGcmVlU2lkKEFkbWluaXN0cmF0b3JzU2lkKTsKCUZyZWVT
aWQoUG93ZXJVc2Vyc1NpZCk7CglyZXR1cm4gc3VjY2VzczsKfQo=

------_=_NextPart_001_01C43140.C81FB140
Content-Type: application/octet-stream;
        name="admin_warning.patch"
Content-Transfer-Encoding: base64
Content-Description: admin_warning.patch
Content-Disposition: attachment;
        filename="admin_warning.patch"

ZGlmZiAtY3IgcG9zdGdyZXNxbC1zbmFwc2hvdC0wMzA1MDIvc3JjL2JhY2tl
bmQvcG9ydC93aW4zMi9NYWtlZmlsZSBwb3N0Z3Jlc3FsLXdvcmsvc3JjL2Jh
Y2tlbmQvcG9ydC93aW4zMi9NYWtlZmlsZQoqKiogcG9zdGdyZXNxbC1zbmFw
c2hvdC0wMzA1MDIvc3JjL2JhY2tlbmQvcG9ydC93aW4zMi9NYWtlZmlsZQlN
b24gQXByIDEyIDE4OjE5OjE4IDIwMDQKLS0tIHBvc3RncmVzcWwtd29yay9z
cmMvYmFja2VuZC9wb3J0L3dpbjMyL01ha2VmaWxlCU1vbiBNYXkgIDMgMjA6
MDU6MDkgMjAwNAoqKioqKioqKioqKioqKioKKioqIDEyLDE4ICoqKioKICB0
b3BfYnVpbGRkaXIgPSAuLi8uLi8uLi8uLgogIGluY2x1ZGUgJCh0b3BfYnVp
bGRkaXIpL3NyYy9NYWtlZmlsZS5nbG9iYWwKICAKISBPQkpTID0gc2VtYS5v
IHNobWVtLm8gdGltZXIubyBzb2NrZXQubyBzaWduYWwubwogIAogIGFsbDog
U1VCU1lTLm8KICAKLS0tIDEyLDE4IC0tLS0KICB0b3BfYnVpbGRkaXIgPSAu
Li8uLi8uLi8uLgogIGluY2x1ZGUgJCh0b3BfYnVpbGRkaXIpL3NyYy9NYWtl
ZmlsZS5nbG9iYWwKICAKISBPQkpTID0gc2VtYS5vIHNobWVtLm8gdGltZXIu
byBzb2NrZXQubyBzaWduYWwubyBzZWN1cml0eS5vCiAgCiAgYWxsOiBTVUJT
WVMubwogIApkaWZmIC1jciBwb3N0Z3Jlc3FsLXNuYXBzaG90LTAzMDUwMi9z
cmMvYmFja2VuZC9wb3N0bWFzdGVyL3Bvc3RtYXN0ZXIuYyBwb3N0Z3Jlc3Fs
LXdvcmsvc3JjL2JhY2tlbmQvcG9zdG1hc3Rlci9wb3N0bWFzdGVyLmMKKioq
IHBvc3RncmVzcWwtc25hcHNob3QtMDMwNTAyL3NyYy9iYWNrZW5kL3Bvc3Rt
YXN0ZXIvcG9zdG1hc3Rlci5jCU1vbiBBcHIgMTkgMTk6NDI6NTggMjAwNAot
LS0gcG9zdGdyZXNxbC13b3JrL3NyYy9iYWNrZW5kL3Bvc3RtYXN0ZXIvcG9z
dG1hc3Rlci5jCU1vbiBNYXkgIDMgMjA6NDc6MjggMjAwNAoqKioqKioqKioq
KioqKioKKioqIDY4OCw2OTMgKioqKgotLS0gNjg4LDcwNyAtLS0tCiAgCQll
cmVwb3J0KERFQlVHMywKICAJCQkJKGVycm1zZ19pbnRlcm5hbCgiLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0iKSkpOwogIAl9
CisgCQorIAkvKgorIAkgKiBUaGlzIGNvZGUgZm9yIG5vbi13aW4zMiBpcyBp
biBtYWluLmMsIGJ1dCBzaW5jZSB3ZSBkb24ndCB3YW50IHRvCisgCSAqIGZv
cmNlIGV4aXQsIGFuZCBhbHNvIG5lZWQgdG8gdXNlIGVyZXBvcnQoKSAodG8g
Z2V0IG91dHB1dCBpbnRvCisgCSAqIGV2ZW50bG9nIGlmIHJ1bm5pbmcgYXMg
YSBzZXJ2aWNlKSwgaXQgaGFzIHRvIGdvIGFmdGVyIHRoZSBmaXJzdAorIAkg
KiBwYXJ0cyBvZiB0aGUgcG9zdG1hc3RlciBoYXZlIHN0YXJ0ZWQgZm9yIHdp
bjMyLgorIAkgKi8KKyAjaWZkZWYgV0lOMzIKKyAJaWYgKHBnd2luMzJfaXNf
YWRtaW4oKSkgeworIAkJZXJlcG9ydChXQVJOSU5HLAorIAkJCQkoZXJybXNn
KCJQb3N0Z3Jlc3FsIGlzIHJ1bm5pbmcgd2l0aCBhZG1pbmlzdHJhdGl2ZSBw
cml2aWxlZ2VzLiBUaGlzIGlzIE5PVCByZWNvbW1lbmRlZC4iKSwKKyAJCQkJ
IGVycmhpbnQoIkNvbnNpZGVyIGNoYW5naW5nIHBvc3RtYXN0ZXIgc3RhcnR1
cCB0byBydW4gYXMgYSBub24tYWRtaW4gYWNjb3VudCIpKSk7CisgCX0KKyAj
ZW5kaWYKICAKICAJLyoKICAJICogT24gc29tZSBzeXN0ZW1zIG91ciBkeW5s
b2FkZXIgY29kZSBuZWVkcyB0aGUgZXhlY3V0YWJsZSdzIHBhdGhuYW1lLgpk
aWZmIC1jciBwb3N0Z3Jlc3FsLXNuYXBzaG90LTAzMDUwMi9zcmMvaW5jbHVk
ZS9wb3J0L3dpbjMyLmggcG9zdGdyZXNxbC13b3JrL3NyYy9pbmNsdWRlL3Bv
cnQvd2luMzIuaAoqKiogcG9zdGdyZXNxbC1zbmFwc2hvdC0wMzA1MDIvc3Jj
L2luY2x1ZGUvcG9ydC93aW4zMi5oCVRodSBBcHIgMjIgMDU6NTE6MjQgMjAw
NAotLS0gcG9zdGdyZXNxbC13b3JrL3NyYy9pbmNsdWRlL3BvcnQvd2luMzIu
aAlNb24gTWF5ICAzIDIwOjQ3OjAyIDIwMDQKKioqKioqKioqKioqKioqCioq
KiAxNDQsMTQ5ICoqKioKLS0tIDE0NCwxNTIgLS0tLQogICNlbmRpZgogIAog
IAorIC8qIEluIGJhY2tlbmQvcG9ydC93aW4zMi9zZWN1cml0eS5jICovCisg
aW50IHBnd2luMzJfaXNfYWRtaW4odm9pZCk7CisgCiAgLyogU29tZSBleHRy
YSBzaWduYWxzICovCiAgI2RlZmluZSBTSUdIVVAJCQkJMQogICNkZWZpbmUg
U0lHUVVJVAkJCQkzCg==

------_=_NextPart_001_01C43140.C81FB140
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

------_=_NextPart_001_01C43140.C81FB140--

>From [EMAIL PROTECTED] Mon May  3 22:42:50 2004
Return-path: <[EMAIL PROTECTED]>
Received: from postgresql.org (svr1.postgresql.org [200.46.204.71])
        by candle.pha.pa.us (8.11.6/8.11.6) with ESMTP id i442gmu19579
        for <[EMAIL PROTECTED]>; Mon, 3 May 2004 22:42:48 -0400 (EDT)
X-Original-To: [EMAIL PROTECTED]
Received: from localhost (unknown [200.46.204.2])
        by svr1.postgresql.org (Postfix) with ESMTP id 34DFBD1DCF5
        for <[EMAIL PROTECTED]>; Mon,  3 May 2004 23:37:50 -0300 (ADT)
Received: from svr1.postgresql.org ([200.46.204.71])
        by localhost (neptune.hub.org [200.46.204.2]) (amavisd-new, port 10024)
        with ESMTP id 36378-06
        for <[EMAIL PROTECTED]>;
        Mon,  3 May 2004 23:37:38 -0300 (ADT)
Received: from latenight.fiasco.org.il (latenight.fiasco.org.il [192.117.122.39])
        by svr1.postgresql.org (Postfix) with SMTP id 3D1D5D1B515
        for <[EMAIL PROTECTED]>; Mon,  3 May 2004 23:37:29 -0300 (ADT)
Received: (qmail 12378 invoked from network); 4 May 2004 02:37:37 -0000
X-Scanned-By: AMaViS-ng at latenight.fiasco.org.il
Received: from unknown (HELO shemesh.biz) (192.117.102.130)
  by latenight.fiasco.org.il with SMTP; 4 May 2004 02:37:36 -0000
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 04 May 2004 05:37:35 +0300
From: Shachar Shemesh <[EMAIL PROTECTED]>
Organization: Lingnu Open Source Consulting
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5
X-Accept-Language: en, he
MIME-Version: 1.0
To: Magnus Hagander <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED]
Subject: Re: [PATCHES] Run-as-admin warning for win32
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at postgresql.org
X-Mailing-List: pgsql-patches
Precedence: bulk
Sender: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on 
        candle.pha.pa.us
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
        version=2.61
Status: OR

1. You forgot to check "localsystem", as well as "domain admins". These 
two have even higher permissions than the ones you test for, and one of 
them is the default if Postgre ever makes it to become a service.
2. Are you sure "Powerusers" is such a good idea? It's the default for 
all non-admin users. When Postgres becomes a service, it's going to be 
relatively easy to configure it to run as a low-priv user. Until then, 
however, isn't it too difficult for admins to set up the system for it 
to run as a different user?

             Shachar

Magnus Hagander wrote:

>For review, comments and possible application to HEAD.
>
>This code implements a warning when the postmaster is started as a
>high-privilege account on win32 (administrator or power users).
>Previously, postgresql has exited out on Unix when running as root -
>this is a similar check, with the following differences:
>
>* We do a ereport(WARNING) instead of exitting out. The reason for this
>is that we can expect there are win32 admins that will want to run the
>server with a high privilege account. Just sending a warning will permit
>this (say, when debugging etc, or if people are just too lazy to care),
>while clearly stating it's not a recommended way to do it.
>
>* The Unix check is directly in main.c. We cannot do this on win32,
>because at this stage we can only printf and exit. Win32 needs ereport.
>Consider when runinng as a service - before we have loaded up
>postgresql.conf and noticed we should write to the eventlog, we cannot
>inform the user in any way (stderr = /dev/null from a service by
>default). Therefor, the win32 check is in PostmasterMain. There might be
>a slightly better place to put it, not 100% sure about that..
>
>
>The win32 specific code is mainly in the file security.c to go in
>src/backend/port/win32.
>
>
>//Magnus
>
>
> 
> <<security.c>>  <<admin_warning.patch>> 
>  
>
>------------------------------------------------------------------------
>
>
>---------------------------(end of broadcast)---------------------------
>TIP 4: Don't 'kill -9' the postmaster
>  
>


-- 
Shachar Shemesh
Lingnu Open Source Consulting
http://www.lingnu.com/


---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
    (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])

>From [EMAIL PROTECTED] Tue May  4 00:22:47 2004
Return-path: <[EMAIL PROTECTED]>
Received: from postgresql.org (svr1.postgresql.org [200.46.204.71])
        by candle.pha.pa.us (8.11.6/8.11.6) with ESMTP id i444Mju17889
        for <[EMAIL PROTECTED]>; Tue, 4 May 2004 00:22:46 -0400 (EDT)
X-Original-To: [EMAIL PROTECTED]
Received: from localhost (unknown [200.46.204.2])
        by svr1.postgresql.org (Postfix) with ESMTP id 10C8BD1F011
        for <[EMAIL PROTECTED]>; Tue,  4 May 2004 01:18:09 -0300 (ADT)
Received: from svr1.postgresql.org ([200.46.204.71])
        by localhost (neptune.hub.org [200.46.204.2]) (amavisd-new, port 10024)
        with ESMTP id 62851-05
        for <[EMAIL PROTECTED]>;
        Tue,  4 May 2004 01:17:49 -0300 (ADT)
Received: from sss.pgh.pa.us (sss.pgh.pa.us [66.207.139.130])
        by svr1.postgresql.org (Postfix) with ESMTP id 3A6B9D1F027
        for <[EMAIL PROTECTED]>; Tue,  4 May 2004 01:17:48 -0300 (ADT)
Received: from sss2.sss.pgh.pa.us ([EMAIL PROTECTED] [127.0.0.1])
        by sss.pgh.pa.us (8.12.11/8.12.11) with ESMTP id i444HmN0029415;
        Tue, 4 May 2004 00:17:48 -0400 (EDT)
To: "Magnus Hagander" <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED]
Subject: Re: [PATCHES] Run-as-admin warning for win32 
In-Reply-To: <[EMAIL PROTECTED]> 
References: <[EMAIL PROTECTED]>
Comments: In-reply-to "Magnus Hagander" <[EMAIL PROTECTED]>
        message dated "Mon, 03 May 2004 20:59:37 +0200"
Date: Tue, 04 May 2004 00:17:48 -0400
Message-ID: <[EMAIL PROTECTED]>
From: Tom Lane <[EMAIL PROTECTED]>
X-Virus-Scanned: by amavisd-new at postgresql.org
X-Mailing-List: pgsql-patches
Precedence: bulk
Sender: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on 
        candle.pha.pa.us
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
        version=2.61
Status: ORr

"Magnus Hagander" <[EMAIL PROTECTED]> writes:
> Previously, postgresql has exited out on Unix when running as root -
> this is a similar check, with the following differences:

> * We do a ereport(WARNING) instead of exitting out.

Why?  If we refuse to run as root on Unix, I do not see an argument for
being more forgiving on Windows.

> The reason for this
> is that we can expect there are win32 admins that will want to run the
> server with a high privilege account.

Translated: "we can expect a higher proportion of Windows admins who
will refuse to be force-fed a clue"?  Not a lot of sympathy here.

> * The Unix check is directly in main.c. We cannot do this on win32,
> because at this stage we can only printf and exit. Win32 needs ereport.

We could move the Unix check later without any problem.  I agree with
keeping both checks in the same place.

                        regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
      joining column's datatypes do not match

>From [EMAIL PROTECTED] Tue May  4 00:46:55 2004
Return-path: <[EMAIL PROTECTED]>
Received: from postgresql.org (svr1.postgresql.org [200.46.204.71])
        by candle.pha.pa.us (8.11.6/8.11.6) with ESMTP id i444ksu21436
        for <[EMAIL PROTECTED]>; Tue, 4 May 2004 00:46:54 -0400 (EDT)
X-Original-To: [EMAIL PROTECTED]
Received: from localhost (unknown [200.46.204.2])
        by svr1.postgresql.org (Postfix) with ESMTP id 6A7C1D1B49A
        for <[EMAIL PROTECTED]>; Tue,  4 May 2004 01:31:40 -0300 (ADT)
Received: from svr1.postgresql.org ([200.46.204.71])
        by localhost (neptune.hub.org [200.46.204.2]) (amavisd-new, port 10024)
        with ESMTP id 71473-01
        for <[EMAIL PROTECTED]>;
        Tue,  4 May 2004 01:31:19 -0300 (ADT)
Received: from candle.pha.pa.us (candle.pha.pa.us [207.106.42.251])
        by svr1.postgresql.org (Postfix) with ESMTP id A80F3D1EFBB
        for <[EMAIL PROTECTED]>; Tue,  4 May 2004 01:31:17 -0300 (ADT)
Received: (from [EMAIL PROTECTED])
        by candle.pha.pa.us (8.11.6/8.11.6) id i444VFP19005;
        Tue, 4 May 2004 00:31:15 -0400 (EDT)
From: Bruce Momjian <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Subject: Re: [PATCHES] Run-as-admin warning for win32
In-Reply-To: <[EMAIL PROTECTED]>
To: Tom Lane <[EMAIL PROTECTED]>
Date: Tue, 4 May 2004 00:31:15 -0400 (EDT)
cc: Magnus Hagander <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
X-Mailer: ELM [version 2.4ME+ PL108 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
X-Virus-Scanned: by amavisd-new at postgresql.org
X-Spam-Status: No, hits=0.0 tagged_above=0.0 required=5.0 tests=
X-Mailing-List: pgsql-patches
Precedence: bulk
Sender: [EMAIL PROTECTED]
Status: OR

Tom Lane wrote:
> "Magnus Hagander" <[EMAIL PROTECTED]> writes:
> > Previously, postgresql has exited out on Unix when running as root -
> > this is a similar check, with the following differences:
> 
> > * We do a ereport(WARNING) instead of exitting out.
> 
> Why?  If we refuse to run as root on Unix, I do not see an argument for
> being more forgiving on Windows.

I am not sure it is as easy to run as non-admin on Win32 as it is to run
as non-root on Unix.  Is it?

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  [EMAIL PROTECTED]               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

               http://archives.postgresql.org

>From [EMAIL PROTECTED] Tue May  4 00:53:46 2004
Return-path: <[EMAIL PROTECTED]>
Received: from postgresql.org (svr1.postgresql.org [200.46.204.71])
        by candle.pha.pa.us (8.11.6/8.11.6) with ESMTP id i444riu22267
        for <[EMAIL PROTECTED]>; Tue, 4 May 2004 00:53:45 -0400 (EDT)
X-Original-To: [EMAIL PROTECTED]
Received: from localhost (unknown [200.46.204.2])
        by svr1.postgresql.org (Postfix) with ESMTP id 3E7B5D1F037
        for <[EMAIL PROTECTED]>; Tue,  4 May 2004 01:44:12 -0300 (ADT)
Received: from svr1.postgresql.org ([200.46.204.71])
        by localhost (neptune.hub.org [200.46.204.2]) (amavisd-new, port 10024)
        with ESMTP id 77651-02
        for <[EMAIL PROTECTED]>;
        Tue,  4 May 2004 01:43:49 -0300 (ADT)
Received: from sss.pgh.pa.us (sss.pgh.pa.us [66.207.139.130])
        by svr1.postgresql.org (Postfix) with ESMTP id 0B6CED1F039
        for <[EMAIL PROTECTED]>; Tue,  4 May 2004 01:43:34 -0300 (ADT)
Received: from sss2.sss.pgh.pa.us ([EMAIL PROTECTED] [127.0.0.1])
        by sss.pgh.pa.us (8.12.11/8.12.11) with ESMTP id i444hWuG029640;
        Tue, 4 May 2004 00:43:32 -0400 (EDT)
To: Bruce Momjian <[EMAIL PROTECTED]>
cc: Magnus Hagander <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: [PATCHES] Run-as-admin warning for win32 
In-Reply-To: <[EMAIL PROTECTED]> 
References: <[EMAIL PROTECTED]>
Comments: In-reply-to Bruce Momjian <[EMAIL PROTECTED]>
        message dated "Tue, 04 May 2004 00:31:15 -0400"
Date: Tue, 04 May 2004 00:43:32 -0400
Message-ID: <[EMAIL PROTECTED]>
From: Tom Lane <[EMAIL PROTECTED]>
X-Virus-Scanned: by amavisd-new at postgresql.org
X-Mailing-List: pgsql-patches
Precedence: bulk
Sender: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on 
        candle.pha.pa.us
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=no 
        version=2.61
Status: OR

Bruce Momjian <[EMAIL PROTECTED]> writes:
> Tom Lane wrote:
>> Why?  If we refuse to run as root on Unix, I do not see an argument for
>> being more forgiving on Windows.

> I am not sure it is as easy to run as non-admin on Win32 as it is to run
> as non-root on Unix.  Is it?

Ease of use has nothing to do with this.  Given the demonstrated
security weaknesses of Windows, we would be completely irresponsible
to allow Postgres to be started in an obviously-insecure way on that
platform.

In other words, I do not wish to be the author of code that could become
the vector for the next SQL Slammer worm.

I am already deathly afraid of what the Windows port is likely to do
to Postgres' reputation for reliability and security.  Do *not* get
me started by proposing that we insert obvious security holes on lame
"ease of use" grounds.  Haven't the boys in Redmond already proven
the wrongness of those priorities many times over?

                        regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

               http://archives.postgresql.org

>From [EMAIL PROTECTED] Tue May  4 03:53:13 2004
Return-path: <[EMAIL PROTECTED]>
Received: from postgresql.org (svr1.postgresql.org [200.46.204.71])
        by candle.pha.pa.us (8.11.6/8.11.6) with ESMTP id i447rBu18665
        for <[EMAIL PROTECTED]>; Tue, 4 May 2004 03:53:12 -0400 (EDT)
X-Original-To: [EMAIL PROTECTED]
Received: from localhost (unknown [200.46.204.2])
        by svr1.postgresql.org (Postfix) with ESMTP id E996AD1B97B
        for <[EMAIL PROTECTED]>; Tue,  4 May 2004 04:48:04 -0300 (ADT)
Received: from svr1.postgresql.org ([200.46.204.71])
        by localhost (neptune.hub.org [200.46.204.2]) (amavisd-new, port 10024)
        with ESMTP id 29606-09
        for <[EMAIL PROTECTED]>;
        Tue,  4 May 2004 04:47:45 -0300 (ADT)
Received: from trolak.mydnsbox2.com (ns1.mydnsbox2.com [207.44.142.118])
        by svr1.postgresql.org (Postfix) with ESMTP id ABAE9D1B9BC
        for <[EMAIL PROTECTED]>; Tue,  4 May 2004 04:47:43 -0300 (ADT)
Received: from dunslane.net (localhost.localdomain [127.0.0.1])
        (authenticated (0 bits))
        by trolak.mydnsbox2.com (8.11.6/8.11.6) with ESMTP id i447oZP22417
        for <[EMAIL PROTECTED]>; Tue, 4 May 2004 02:50:35 -0500
Received: from 24.211.141.25
        (SquirrelMail authenticated user [EMAIL PROTECTED])
        by www.dunslane.net with HTTP;
        Tue, 4 May 2004 03:50:35 -0400 (EDT)
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 4 May 2004 03:50:35 -0400 (EDT)
Subject: Re: [PATCHES] Run-as-admin warning for win32
From: "Andrew Dunstan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
X-Priority: 3
Importance: Normal
X-MSMail-Priority: Normal
X-Mailer: SquirrelMail (version 1.2.5)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: by amavisd-new at postgresql.org
X-Mailing-List: pgsql-patches
Precedence: bulk
Sender: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on 
        candle.pha.pa.us
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
        version=2.61
Status: OR

Tom Lane said:
> Bruce Momjian <[EMAIL PROTECTED]> writes:
>> Tom Lane wrote:
>>> Why?  If we refuse to run as root on Unix, I do not see an argument
>>> for being more forgiving on Windows.
>
>> I am not sure it is as easy to run as non-admin on Win32 as it is to
>> run as non-root on Unix.  Is it?
>
> Ease of use has nothing to do with this.  Given the demonstrated
> security weaknesses of Windows, we would be completely irresponsible to
> allow Postgres to be started in an obviously-insecure way on that
> platform.
>
> In other words, I do not wish to be the author of code that could
> become the vector for the next SQL Slammer worm.
>

Me either :-)

> I am already deathly afraid of what the Windows port is likely to do to
> Postgres' reputation for reliability and security.  Do *not* get me
> started by proposing that we insert obvious security holes on lame
> "ease of use" grounds.  Haven't the boys in Redmond already proven the
> wrongness of those priorities many times over?
>

If we are going to enforce the 'must be non-privileged user' on Windows,
there are some things we need to do, I think:

. enforce the rule in initdb (currently it does not, on Windows).
. if the installer is running as Administrator, it should create a
Postgres user
. if the installer is going to install the service, it should run initdb
as the postgres user (is that possible?) and install the service to run as
that user.

IOW, we need to make it as easy as possible to be secure.

cheers

andrew



---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

               http://www.postgresql.org/docs/faqs/FAQ.html

>From [EMAIL PROTECTED] Tue May  4 04:33:04 2004
Return-path: <[EMAIL PROTECTED]>
Received: from postgresql.org (svr1.postgresql.org [200.46.204.71])
        by candle.pha.pa.us (8.11.6/8.11.6) with ESMTP id i448X2u25091
        for <[EMAIL PROTECTED]>; Tue, 4 May 2004 04:33:03 -0400 (EDT)
X-Original-To: [EMAIL PROTECTED]
Received: from localhost (unknown [200.46.204.2])
        by svr1.postgresql.org (Postfix) with ESMTP id 8AF94D1DF70
        for <[EMAIL PROTECTED]>; Tue,  4 May 2004 05:30:35 -0300 (ADT)
Received: from svr1.postgresql.org ([200.46.204.71])
        by localhost (neptune.hub.org [200.46.204.2]) (amavisd-new, port 10024)
        with ESMTP id 43417-08
        for <[EMAIL PROTECTED]>;
        Tue,  4 May 2004 05:30:16 -0300 (ADT)
Received: from latenight.fiasco.org.il (latenight.fiasco.org.il [192.117.122.39])
        by svr1.postgresql.org (Postfix) with SMTP id 45119D1E294
        for <[EMAIL PROTECTED]>; Tue,  4 May 2004 05:30:13 -0300 (ADT)
Received: (qmail 14580 invoked from network); 4 May 2004 08:30:11 -0000
X-Scanned-By: AMaViS-ng at latenight.fiasco.org.il
Received: from unknown (HELO shemesh.biz) (192.117.102.130)
  by latenight.fiasco.org.il with SMTP; 4 May 2004 08:30:10 -0000
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 04 May 2004 11:30:10 +0300
From: Shachar Shemesh <[EMAIL PROTECTED]>
Organization: Lingnu Open Source Consulting
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5
X-Accept-Language: en, he
MIME-Version: 1.0
To: Thomas Hallgren <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED]
Subject: Re: [PATCHES] Run-as-admin warning for win32
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at postgresql.org
X-Mailing-List: pgsql-patches
Precedence: bulk
Sender: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on 
        candle.pha.pa.us
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
        version=2.61
Status: OR

Thomas Hallgren wrote:

>http://download.microsoft.com/download/1/b/8/1b8fc001-6f67-4ea1-b0f2-8add1da8cbc0/_Toc42414596
>  
>
Link does not work.

>Exerpt:
>
>Unfortunately, these permissions are also the same permissions that allow
>power users to:
>  ? Introduce Trojan horses that, if executed by administrators or
>    other users, can compromise system and data security
>  ? Make system-wide operating system and application changes
>    that affect other users of the system
>
>Kind regards,
>
>Thomas Hallgren
>  
>
<rant>
That pathetic thing called "Windows security" is getting to me. It is 
close to impossible to create a "user", and once created, this user will 
not be capable of actually doing anything.

Very flexible, very granular permissions system result in making it 
impossible for someone, us in this case, to find out whether we are 
over-priveleged.

Well meaning, but horrible system, with even more horrible results.
</rant>

Shachar

-- 
Shachar Shemesh
Lingnu Open Source Consulting
http://www.lingnu.com/


---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

>From [EMAIL PROTECTED] Tue May  4 11:00:52 2004
Return-path: <[EMAIL PROTECTED]>
Received: from mx-2.sollentuna.net (mx-2.sollentuna.net [195.84.163.199])
        by candle.pha.pa.us (8.11.6/8.11.6) with ESMTP id i44F0pu29700
        for <[EMAIL PROTECTED]>; Tue, 4 May 2004 11:00:52 -0400 (EDT)
Received: from ALGOL.sollentuna.se (janus-en.sollentuna.se [195.84.163.194])
        by mx-2.sollentuna.net (Postfix) with ESMTP
        id 2A90C8F2A8; Tue,  4 May 2004 17:00:47 +0200 (CEST)
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
        charset="us-ascii"
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Subject: RE: [PATCHES] Run-as-admin warning for win32
Date: Tue, 4 May 2004 17:00:46 +0200
Message-ID: <[EMAIL PROTECTED]>
Thread-Topic: [PATCHES] Run-as-admin warning for win32
Thread-Index: AcQx5/UtDqDOAuU0SD+o4wv+8dmPfwAAHQGQ
From: "Magnus Hagander" <[EMAIL PROTECTED]>
To: "Bruce Momjian" <[EMAIL PROTECTED]>
cc: "Tom Lane" <[EMAIL PROTECTED]>, "Andrew Dunstan" <[EMAIL PROTECTED]>,
   <[EMAIL PROTECTED]>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by candle.pha.pa.us id i44F0pu29700
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on 
        candle.pha.pa.us
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
        version=2.61
Status: ORr

> > The installer-skeleton I have right now permits 
> installation as local 
> > system but recommends a user account. But that's just 
> functionality to 
> > remove, so that's easily done. In the other case, it prompts for 
> > username and password to run as.
> 
> How would it install on an XP laptop?  If I am logged in as 
> myself and I am listed as a "Computer Administrator", do I 
> need to create another user, and how do I do the install as 
> that other user, and start/stop the server, and stuff like that?

Yes, you need to create another user.
When running as a service, just tell the installer. It should set up
required permissions. Then start the service as normal using the Service
Control Manager.

When running manually, you will have to grant the postgres user the
required permissions on the PGDATA directory. Then you can start the
server using "runas".

//Magnus

---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend

Reply via email to