win32 port

On Wed, Jul 07, 2004 at 02:01:57PM +0100, nobody wrote:

To begin with I am not sure this is a correct place to post this, if not
please let me know.

The PostgreSQL traditionally refuses to run under root account on Unix (for
security reasons). On win32 the situation is the same (it will not run if
run under user belonging to administrator group).
In my opinion this should not be the case on win32 as developers are likely
to belong to the administrators group and might like to run the database
under their account.
Think carefully about this. If the DB runs with admin rights, you've
just given any person who connects to the database full rights to read
and write any file on disk. Look at the COPY IN/OUT command and the
lo_import/export() functions. They run with the priveledges of the
*backend* not the frontend. So any connecting user would be able to
lo_import() any file on disk and then display it for perusal.

This is why on unix it runs as it's own user. Then it can only read
other people's world-readable files.
I think that issuing a warning (pop up window) at the start-up of the
postmaster would be enough, something like:

"Starting under privileged account is considered unsafe. Please consider
starting the database server under different user account."
Eeeuw, pop-up windows for a database server. No doubt it should stop
the database starting up waiting for someone to press OK. Very useful
(*not*) if you want to start the database from a script on a remote
machine.

Have a nice day,
--
Martijn van Oosterhout <kl*****@svana.org> http://svana.org/kleptog/ Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
tool for doing 5% of the work and then sitting around waiting for someone
else to do the other 95% so you can sue them.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFA71CuY5Twig3Ge+YRAqCdAKC4v5YVJgrsySCqzWmMJl Tf2OJYfQCfU3OE
4FK9qIjbxINS2vE1iONlbwY=
=CRn2
-----END PGP SIGNATURE-----

On Wed, Jul 07, 2004 at 02:01:57PM +0100, nobody wrote:

The PostgreSQL traditionally refuses to run under root account on Unix (for
security reasons). On win32 the situation is the same (it will not run if
run under user belonging to administrator group).
In my opinion this should not be the case on win32 as developers are likely
to belong to the administrators group and might like to run the database
under their account.

Nah, this has been proposed and rejected at least a couple of times
already. The reason is that Postgres does not want to be the next
worm-causing program out there. Sloppy security on the grounds of ease
of use is exactly the reason why Microsoft products are full of security
programs.

There's a reason for refusing to run as root on Unix, and the same
reason holds on Windows. Much more strongly, I might add.

--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"Hay quien adquiere la mala costumbre de ser infeliz" (M. A. Evans)
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to ma*******@postgresql.org so that your
message can get through to the mailing list cleanly

hello martijn,

maybe there are good reasons for both opinions - yours and "nobodys"
(btw not too good a name...):

when postgresql should be running in production-systems running the
database as root would be suicide (maybe running on most
windows-envirionments too...). so this should be prevented.

but: if i do "just" programming and i want to run postgresql besides my
ide to create/test my wonderful programming ideas there should be just
the ability to run postgresql with any user - even with root. otherwise
i must login to my computer as special postgresql-user to run postgresql
but maybe don't have all rights to work with my ide and other
programming-tools.

so there should be an easy solution for both!

greetings
hans

Martijn van Oosterhout schrieb:

On Wed, Jul 07, 2004 at 02:01:57PM +0100, nobody wrote:

To begin with I am not sure this is a correct place to post this, if not
please let me know.

The PostgreSQL traditionally refuses to run under root account on Unix (for
security reasons). On win32 the situation is the same (it will not run if
run under user belonging to administrator group).
In my opinion this should not be the case on win32 as developers are likely
to belong to the administrators group and might like to run the database
under their account.

Think carefully about this. If the DB runs with admin rights, you've
just given any person who connects to the database full rights to read
and write any file on disk. Look at the COPY IN/OUT command and the
lo_import/export() functions. They run with the priveledges of the
*backend* not the frontend. So any connecting user would be able to
lo_import() any file on disk and then display it for perusal.

This is why on unix it runs as it's own user. Then it can only read
other people's world-readable files.

I think that issuing a warning (pop up window) at the start-up of the
postmaster would be enough, something like:

"Starting under privileged account is considered unsafe. Please consider
starting the database server under different user account."

Eeeuw, pop-up windows for a database server. No doubt it should stop
the database starting up waiting for someone to press OK. Very useful
(*not*) if you want to start the database from a script on a remote
machine.

Have a nice day,

On Sat, Jul 10, 2004 at 10:48:59AM +0200, zu****@iname.com wrote:

when postgresql should be running in production-systems running the
database as root would be suicide (maybe running on most
windows-envirionments too...). so this should be prevented.

but: if i do "just" programming and i want to run postgresql besides my
ide to create/test my wonderful programming ideas there should be just
the ability to run postgresql with any user - even with root. otherwise
i must login to my computer as special postgresql-user to run postgresql
but maybe don't have all rights to work with my ide and other
programming-tools.
Err? Ok, I'm not too familiar with windows but surely it's possible to
run a server as another user. For me (on Linux mind you) all such
servers are started on bootup and several of them have their own user
accounts.

Unless you are considering running postgresql from your development
environment. Surely you run the server as it's own user. The user
programs and command interface can run as any user.

Just run it as a service (i think that's the right term), you're the
admin, right?

Hope this helps,
--
Martijn van Oosterhout <kl*****@svana.org> http://svana.org/kleptog/ Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
tool for doing 5% of the work and then sitting around waiting for someone
else to do the other 95% so you can sue them.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFA77NdY5Twig3Ge+YRAjDgAJ9hXNZbhjRNrwn9KJRSdc wf5C+ynACfZCho
w9q/Pk6IGCKtQhGo/Y+E6Vw=
=3HRk
-----END PGP SIGNATURE-----

hello martijn,

i know, on linux this is really a lot easier and the os is by far more
advanced than windows (my opinion) - especially concerning the issue
"user". but...

....i have little experience in linux and i work on windows.

....and i don't want to run postgresql as service - there are so many
services in windows (xp) running - every piece of software installs some
more or less dubious things in memory... - that the overall system-speed
is decreasing a lot the longer you run your computer.

....and - as far as i can see - to handle users is a young and not easy
to use feature in most windows-systems. as you surely know, windows was
mostly a one-user-system (just root). that made life easy but very
dangerous. nowadays i can create users but lots of windows-programs
still rely on beeing root (beginning from installation and ending with
using them). so many programs must be started - every time! - with
su-user-rights. so, if you made your windows-system more secure in
creating (and running your system as) a more restricted user, you always
have to enter "su". this makes you wonder, if the system is then more
secure any more on the one side, and after several times of working like
this, you wish your system back to old-style just to have an easy way
for working again on the other side.
all this is much more a problem, if ones computer/laptop is not only for
oneselfe but for all the other family-members too. e.g. you make a
restricted user for your children (not so much for your wife...) then
you have to either run to them, every time they want to run programs to
enter "su" or you give them "su"-infos - now try to decide yourselfe.

this is a problem for windows user - and for programmers on windows too.

so - back to the problem again: why couldn't there be - just for testing
and programming purposes!! - a way to start postgresql even with root
(and maybe - as "nobody" proposed - with that info-popup-window at the
beginning as a good reminder for somebody who would really try to make
this a production system)?

greetings from rainy salzburg/austria
hans
Martijn van Oosterhout schrieb:

On Sat, Jul 10, 2004 at 10:48:59AM +0200, zu****@iname.com wrote:

when postgresql should be running in production-systems running the
database as root would be suicide (maybe running on most
windows-envirionments too...). so this should be prevented.

but: if i do "just" programming and i want to run postgresql besides my
ide to create/test my wonderful programming ideas there should be just
the ability to run postgresql with any user - even with root. otherwise
i must login to my computer as special postgresql-user to run postgresql
but maybe don't have all rights to work with my ide and other
programming-tools.

Err? Ok, I'm not too familiar with windows but surely it's possible to
run a server as another user. For me (on Linux mind you) all such
servers are started on bootup and several of them have their own user
accounts.

Unless you are considering running postgresql from your development
environment. Surely you run the server as it's own user. The user
programs and command interface can run as any user.

Just run it as a service (i think that's the right term), you're the
admin, right?

Hope this helps,

On Sat, Jul 10, 2004 at 12:22:42PM +0200, zu****@iname.com wrote:

...and i don't want to run postgresql as service - there are so many
services in windows (xp) running - every piece of software installs some
more or less dubious things in memory... - that the overall system-speed
is decreasing a lot the longer you run your computer.

There has to be a way of having a service configured not to run
automatically at boot, and run it by hand, isn't there?

Windows people would know better than me, but I think you can do these
things using "NET START" or something like that.

--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"La victoria es para quien se atreve a estar solo"
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to ma*******@postgresql.org

Alvaro Herrera <al******@dcc.uchile.cl> wrote:

On Sat, Jul 10, 2004 at 12:22:42PM +0200, zu****@iname.com wrote:

...and i don't want to run postgresql as service - there are so many
services in windows (xp) running - every piece of software installs some
more or less dubious things in memory... - that the overall system-speed
is decreasing a lot the longer you run your computer.

There has to be a way of having a service configured not to run
automatically at boot, and run it by hand, isn't there?

Windows people would know better than me, but I think you can do these
things using "NET START" or something like that.

The GUI service control manager app lets you set these values. Startup
options such as automatic, manual, and disable exist. You can also manually
start/stop services from the GUI interface.

I believe Win2K3 now has CLI tools for this as well, but I don't know
the details.

--
Bill Moran
Potential Technologies
http://www.potentialtech.com

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

Hallo Hans,

zu****@iname.com wrote:

...i have little experience in linux and i work on windows.

I don't know the current state of the Windows port (PG 7.5) but as I
understood it currently won't run as service at all.
For getting a service you need to go with cygwin ...

I didn't test it, but at least since Windows 2000 there is a command
"runas" that can RUN programs AS other users.
You can use it even with the desktop, when you hold SHIFT and
right-click a program.
...and - as far as i can see - to handle users is a young and not easy
to use feature in most windows-systems.

"young" as in it's teens ;)
Windows NT => 2000 => XP => ... had user-accounts for years and the
access rights are nicely configurable.

You can even take away Administrator's rights to access directories or
files, though in most cases he can set it back himself.
This way you can prevent accidentally erasing stuff.

---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend