[bug fix] pg_ctl fails with config-only directory
От | MauMau |
---|---|
Тема | [bug fix] pg_ctl fails with config-only directory |
Дата | |
Msg-id | 180B62C99398442C999DEC7A1BB2DCB9@maumau обсуждение исходный текст |
Ответы |
Re: [bug fix] pg_ctl fails with config-only directory
|
Список | pgsql-hackers |
Hello, I've found a bug and would like to fix it, but I cannot figure out how to do that well. Could you give me any advice? I encountered this on PG 9.2, but it will probably exist in later versions. [Problem] On Windows, a user with Administrator privileges can start the database server. However, when he uses config-only directory, the database server cannot be started. "pg_ctl start" fails with the following messages: Execution of PostgreSQL by a user with administrative permissions is not permitted. The server must be started under an unprivileged user ID to prevent possible system security compromises. See the documentation for more information on how to properly start the server. [Cause] pg_ctl runs "postgres -C data_directory" to know the data directory. But postgres cannot be run by a user with Administrator privileges, and displays the above messages. [Fix] It is ideal that users with administrative privileges can start postgres, with the Administrator privileges removed. Currently, initdb and pg_ctl take trouble to invoke postgres in a process with restricted privileges. I understand this improvement was done in 8.2 or 8.3 for convenience. The same convenience should be available when running postgres directly, at least "postgres -C", "postgres --describe-config", and "postgres --single". Then, how can we do this? Which approach should we take? * Approach 1 When postgres starts, it removes Administrator privileges from its own process. But is this possible at all? Windows security API is complex and provides many functions. It seems difficult to understand them. I'm afraid it would take a long time to figure out the solution. Is there any good web page to look at? * Approach 2 Do not call check_root() on Windows when -C, --describe-config, or --single is specified when running postgres. This would be easy, and should not be dangerous in terms of security because attackers cannot get into the server process via network. I'll try to find a solution based on approach 1, but I doubt there's one. If okay, I want to take approach 2. Could you give me your thoughts? Regards MauMau
В списке pgsql-hackers по дате отправления: