Re: initdb crash
| От | Gary Doades |
|---|---|
| Тема | Re: initdb crash |
| Дата | |
| Msg-id | 40E81B1D.6082.E70537A@localhost обсуждение исходный текст |
| Ответ на | Re: initdb crash ("Magnus Hagander" <mha@sollentuna.net>) |
| Список | pgsql-hackers-win32 |
On 4 Jul 2004 at 15:47, Magnus Hagander wrote: > > This has nothing to do with possible attack vectors using SQL injection, > for example. The admin starts the service. The SQL injection comes in > though the webserver at a later time (and hey, if you don't even allow > that one to connect to your server, then don't bother running it). > Now sure, this is a bug in the web application, but there are thousands > of webapps out tehre with just this kind of bug. And by not allowing the > server to run as admin, we help the admins decrease the surface that > this kind of attack can actually hit. > OK, I'll concede that one. I'd forgotten about web apps running on the same PC as the DB. > The one argument I buy is the one for making it easier for developers. I > guess one way would be a commandline option that permits it to run as > admin. In doing this, it should also *FORCE* connections to permit > 127.0.0.1 only, and emit a screenful of warnings about how bad this is. > But sure, in a developers VM or otherwise secured machine, it's not a > major issue. > I think this is all the Win32 users are asking for, but given the above argument about web apps it would still represent a small risk. Thanks, Gary.
В списке pgsql-hackers-win32 по дате отправления: