On Tue, Nov 15, 2005 at 10:29:34PM +0100, Magnus Hagander wrote:
> You still lose in the nested group scenario.
>
> And whlie a privilege like backup/restore can be used to overwrite any
> file on the system, you must be able to execute arbitrary API calls to
> do that. Whereas with admin/powerusers you can just use COPY or
> whatever.
Well, like you said, what's the problem we're trying to solve. It seems
to me that Windows doesn't have a clearly defined concept of
"superuser" and hence it can't be tested for. Having seperate API
points to access files that require different priviledges just makes it
more complicated.
There isn't a simple way to say, limit my access to this directory tree
(like chroot())? Surely as admin you could create tokens and add them
to the PGDATA directory and then allow only access to directories with
that token. Since PostgreSQL doesn't actually require priviledges,
couldn't you just enumerate and drop them all?
Maybe allow a cripple mode where you refuse to load objects or allow
COPY. Or run any functions in untrusted languages. Still seems to me to
be a failure in the OS that you can't just say "drop everything except
this".
> Bottom line is that pgwin32_is_admin() is far from perfect, it just
> catches the most common scenarios.
My method would be: try to open file for writing in the Windows System
directory. If that works you've got too much priviledge...
Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.