Обсуждение: Running PostGre on DVD
Hi everybody, My questions may seem kind of odd. I would like to run PostGreSQL on a DVD (database on the DVD and if possible executable on DVD too) on windows. I want no installation at all, so I took the no install package. The problem is the need of creating a non-admin user to run PostGre, I would like to know if there is an option to parameter PostGre to accept WILLINGLY that an administrator user can run it. If there isn't, it would be a great idea to add such a parameter. Secondly, I would like to run PostGre having only read permission on the data directory (which would be on the DVD...). Is it possible? If not, can it be added (add of a 'read-only' option). Thanks in advance for your help. Regards, Eric LEGUILLIER
Why do you need to run PostgreSQL as admin? There shouldn't be any need for this. Someone has done a PostgreSQL demo CD, I believe based on Knoppix. The list archives will probably have more info. On Mon, Nov 14, 2005 at 11:29:10AM +0100, eric.leguillier@mpsa.com wrote: > Hi everybody, > > My questions may seem kind of odd. > > I would like to run PostGreSQL on a DVD (database on the DVD and if > possible executable on DVD too) on windows. > I want no installation at all, so I took the no install package. > > The problem is the need of creating a non-admin user to run PostGre, I > would like to know if there is an option to parameter PostGre to accept > WILLINGLY that an administrator user can run it. If there isn't, it would > be a great idea to add such a parameter. > > Secondly, I would like to run PostGre having only read permission on the > data directory (which would be on the DVD...). Is it possible? If not, can > it be added (add of a 'read-only' option). > > Thanks in advance for your help. > > Regards, > > Eric LEGUILLIER > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: don't forget to increase your free space map settings > -- Jim C. Nasby, Sr. Engineering Consultant jnasby@pervasive.com Pervasive Software http://pervasive.com work: 512-231-6117 vcard: http://jim.nasby.net/pervasive.vcf cell: 512-569-9461
I explain myself about running PostGre as admin. In fact I don't want specifically run PostGre as admin. The problem is, on the computers the application including PostGre will run, I'm not sure that the user won't have any admin or power user rights. Furthermore, I've noticed that on certain domains, any user created is automatically added to a default group having power user rights (that is actually happening to me). It causes I cannot run PostGre because on my domain, because any user created is added to such a default group. That's why adding a parameter for willingly authorize an user with special rights to run the application would be great for me. Regards, Eric LEGUILLIER Why do you need to run PostgreSQL as admin? There shouldn't be any need for this. Someone has done a PostgreSQL demo CD, I believe based on Knoppix. The list archives will probably have more info. On Mon, Nov 14, 2005 at 11:29:10AM +0100, eric.leguillier@mpsa.com wrote: > Hi everybody, > > My questions may seem kind of odd. > > I would like to run PostGreSQL on a DVD (database on the DVD and if > possible executable on DVD too) on windows. > I want no installation at all, so I took the no install package. > > The problem is the need of creating a non-admin user to run PostGre, I > would like to know if there is an option to parameter PostGre to accept > WILLINGLY that an administrator user can run it. If there isn't, it would > be a great idea to add such a parameter. > > Secondly, I would like to run PostGre having only read permission on the > data directory (which would be on the DVD...). Is it possible? If not, can > it be added (add of a 'read-only' option). > > Thanks in advance for your help. > > Regards, > > Eric LEGUILLIER > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: don't forget to increase your free space map settings > -- Jim C. Nasby, Sr. Engineering Consultant jnasby@pervasive.com Pervasive Software http://pervasive.com work: 512-231-6117 vcard: http://jim.nasby.net/pervasive.vcf cell: 512-569-9461
On Tuesday 15 November 2005 12:29 am, Jim C. Nasby wrote: > Why do you need to run PostgreSQL as admin? There shouldn't be any need > for this. Actually I've run into a scenario where this was needed. I'm not a Windows expert, so there might be some way to get around this: I have a localadmin account on the workstation(which is a member of a domain). As this localadmin(with full local administrative privileges) I created a local user "postgres" to run PostgreSQL as. The problem was that the policy for the domain the machine was a member of(which obviously overrides local settings) prevented this new local user to have "local login" privileges. Therefore I couldn't create a user to run the postmaster as. I was "stuck" with my admin-user, which I was not able to start PG as. This was quite frustrating as I really wanted to install Tomcat+PG to run a demo-webapp for a customer on one of their machines. There really should be an option for "Yes, I really want to run PG as a user with Administrator-privileges on Windows. I promiss not to bug -hacker about any potential security-problems I might experience". -- Andreas Joseph Krogh <andreak@officenet.no> Senior Software Developer / Manager gpg public_key: http://dev.officenet.no/~andreak/public_key.asc ------------------------+---------------------------------------------+ OfficeNet AS | The most difficult thing in the world is to | Hoffsveien 17 | know how to do a thing and to watch | PO. Box 425 Skøyen | somebody else doing it wrong, without | 0213 Oslo | comment. | NORWAY | | Phone : +47 22 13 01 00 | | Direct: +47 22 13 10 03 | | Mobile: +47 909 56 963 | | ------------------------+---------------------------------------------+
On Tue, Nov 15, 2005 at 09:19:23AM +0100, Andreas Joseph Krogh wrote: > On Tuesday 15 November 2005 12:29 am, Jim C. Nasby wrote: > > Why do you need to run PostgreSQL as admin? There shouldn't be any need > > for this. > > Actually I've run into a scenario where this was needed. I'm not a Windows > expert, so there might be some way to get around this: > > I have a localadmin account on the workstation(which is a member of a domain). > As this localadmin(with full local administrative privileges) I created a > local user "postgres" to run PostgreSQL as. The problem was that the policy > for the domain the machine was a member of(which obviously overrides local > settings) prevented this new local user to have "local login" privileges. Typical windows, can't give up admin priveliges even if you want to. All jokes aside, doesn't "runas" allow you to start a program as another user? Although the web seems to imply you have to be running a special service to have multiple accounts running simultaneously. Talk about bolt-on security. <snip> > There really should be an option for > "Yes, I really want to run PG as a user with Administrator-privileges on > Windows. I promiss not to bug -hacker about any potential security-problems I > might experience". This is free software. Nothing is stopping you from downloading the source, disabling the check and posting it as: Safety Free PostgreSQL - The PostgreSQL that runs everywhere and lets you do anything, including trash your machine on demand. There's just no reason for it to be an official PostgreSQL Development Group product. Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.
> > > Why do you need to run PostgreSQL as admin? There > shouldn't be any > > > need for this. > > > > Actually I've run into a scenario where this was needed. I'm not a > > Windows expert, so there might be some way to get around this: > > > > I have a localadmin account on the workstation(which is a > member of a domain). > > As this localadmin(with full local administrative privileges) I > > created a local user "postgres" to run PostgreSQL as. The > problem was > > that the policy for the domain the machine was a member of(which > > obviously overrides local > > settings) prevented this new local user to have "local > login" privileges. > > Typical windows, can't give up admin priveliges even if you want to. Huh. The stated problem is that the low privilege account does *not* have the required privilege (to log in). Note that PostgreSQL doesn't really require "log on locally" for anything other than initdb. So if you can initdb on a different box and copy it there, or somehow get the permissions temporarily, the server will workf ine. The server only requires "Log in as a service". The best way to fix it is of course if you can have the domain guys grant your local account the login locally right. If not, perhaps they can set you up with a low-priv domain account to run the service under? (I assume you are not the domain admin guy, or this would have already been fixed...) If the security is set up so that you can use a local *admin* acconut but not a local *nonadmin* accuont, then your domain people really need to look over their security policies, because they are very very broken indeed. > All jokes aside, doesn't "runas" allow you to start a program > as another user? It does, but this still requires that this user have the right to log in, which is the problem in this case it seems. /Magnus
On Tue, Nov 15, 2005 at 01:51:04PM +0100, Magnus Hagander wrote: > Huh. The stated problem is that the low privilege account does *not* > have the required privilege (to log in). > Note that PostgreSQL doesn't really require "log on locally" for > anything other than initdb. So if you can initdb on a different box and > copy it there, or somehow get the permissions temporarily, the server > will workf ine. The server only requires "Log in as a service". Sorry, my understanding of Windows permissions is hazy at times. You have permission to create users, but not permission to run programs as the user you created (because you need to "login"). And there is a distinction between running as a service and running as a program(?!). So I think my statement is correct that the above user cannot run programs as anything other than administrator privelidges. Like you said, if he could, this discussion would be moot. > If the security is set up so that you can use a local *admin* acconut > but not a local *nonadmin* accuont, then your domain people really need > to look over their security policies, because they are very very broken > indeed. That was the way I read it and I agree, that's a very broken way to set things up. Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.
> I explain myself about running PostGre as admin.
>
> In fact I don't want specifically run PostGre as admin. The problem
is, on
> the computers the application including PostGre will run, I'm not sure
> that
> the user won't have any admin or power user rights. Furthermore, I've
> noticed that on certain domains, any user created is automatically
added
> to
> a default group having power user rights (that is actually happening
to
> me).
To be honest, the fact that Postgres forces you to run as a non-admin
user has given me nothing but headaches. (yes, I know, the problem is
defaulting everyone to admin rights is the problem. But that's where I
am). I have been kicking around the idea of posting a change to allow
you to run as admin, but in the meanwhile if you can build Postgres on
your machine, the fix is very easy. Go into src/backend/main/main.c and
find the line
if (pgwin32_is_admin())
and change it to
if (false && pgwin32_is_admin())
Mike Pollard
SUPRA Server SQL Engineering and Support
Cincom Systems, Inc
> > Huh. The stated problem is that the low privilege account > does *not* > > have the required privilege (to log in). > > Note that PostgreSQL doesn't really require "log on locally" for > > anything other than initdb. So if you can initdb on a different box > > and copy it there, or somehow get the permissions temporarily, the > > server will workf ine. The server only requires "Log in as > a service". > > Sorry, my understanding of Windows permissions is hazy at > times. You have permission to create users, but not > permission to run programs as the user you created (because > you need to "login"). Yes. If you set up your permissions in a really weird way, you can have that. > And there is a distinction between > running as a service and running as a program(?!). Yes. And this is a good thing! :-) There is no reason a normal user should be able to run a service process. And services should normally have dedicated accounts, and there is no reason you should ever need to log in as that account interactively. //Magnus
On Tuesday 15 November 2005 02:07 pm, Martijn van Oosterhout wrote: > On Tue, Nov 15, 2005 at 01:51:04PM +0100, Magnus Hagander wrote: > > Huh. The stated problem is that the low privilege account does *not* > > have the required privilege (to log in). > > Note that PostgreSQL doesn't really require "log on locally" for > > anything other than initdb. So if you can initdb on a different box and > > copy it there, or somehow get the permissions temporarily, the server > > will workf ine. The server only requires "Log in as a service". > > Sorry, my understanding of Windows permissions is hazy at times. You > have permission to create users, but not permission to run programs as > the user you created (because you need to "login"). And there is a > distinction between running as a service and running as a program(?!). > > So I think my statement is correct that the above user cannot run > programs as anything other than administrator privelidges. Like you > said, if he could, this discussion would be moot. > > > If the security is set up so that you can use a local *admin* acconut > > but not a local *nonadmin* accuont, then your domain people really need > > to look over their security policies, because they are very very broken > > indeed. > > That was the way I read it and I agree, that's a very broken way to set > things up. > > Have a nice day, Broken or not, it's a setup I'm not in control over. And I'm certainly not the guy to hack the "disable admin-security-check on windows" feature:-( -- Andreas Joseph Krogh <andreak@officenet.no> Senior Software Developer / Manager gpg public_key: http://dev.officenet.no/~andreak/public_key.asc ------------------------+---------------------------------------------+ OfficeNet AS | The most difficult thing in the world is to | Hoffsveien 17 | know how to do a thing and to watch | PO. Box 425 Skøyen | somebody else doing it wrong, without | 0213 Oslo | comment. | NORWAY | | Phone : +47 22 13 01 00 | | Direct: +47 22 13 10 03 | | Mobile: +47 909 56 963 | | ------------------------+---------------------------------------------+
On Tuesday 15 November 2005 02:16 pm, Pollard, Mike wrote: > > I explain myself about running PostGre as admin. > > > > In fact I don't want specifically run PostGre as admin. The problem > > is, on > > > the computers the application including PostGre will run, I'm not sure > > that > > the user won't have any admin or power user rights. Furthermore, I've > > noticed that on certain domains, any user created is automatically > > added > > > to > > a default group having power user rights (that is actually happening > > to > > > me). > > To be honest, the fact that Postgres forces you to run as a non-admin > user has given me nothing but headaches. (yes, I know, the problem is > defaulting everyone to admin rights is the problem. But that's where I > am). I have been kicking around the idea of posting a change to allow > you to run as admin, but in the meanwhile if you can build Postgres on > your machine, the fix is very easy. Go into src/backend/main/main.c and > find the line > > if (pgwin32_is_admin()) > > and change it to > > if (false && pgwin32_is_admin()) Thanks, I'll see if I can build PG on Windows now. -- Andreas Joseph Krogh <andreak@officenet.no> Senior Software Developer / Manager gpg public_key: http://dev.officenet.no/~andreak/public_key.asc ------------------------+---------------------------------------------+ OfficeNet AS | The most difficult thing in the world is to | Hoffsveien 17 | know how to do a thing and to watch | PO. Box 425 Skøyen | somebody else doing it wrong, without | 0213 Oslo | comment. | NORWAY | | Phone : +47 22 13 01 00 | | Direct: +47 22 13 10 03 | | Mobile: +47 909 56 963 | | ------------------------+---------------------------------------------+
> -----Original Message----- > From: pgsql-hackers-owner@postgresql.org > [mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of > Magnus Hagander > Sent: 15 November 2005 13:31 > To: Martijn van Oosterhout > Cc: Andreas Joseph Krogh; pgsql-hackers@postgresql.org > Subject: Re: [HACKERS] Running PostGre on DVD > > Yes. And this is a good thing! :-) > There is no reason a normal user should be able to run a service > process. And services should normally have dedicated > accounts, and there > is no reason you should ever need to log in as that account > interactively. Yes there is, to setup a MAPI profile for the service to use. However I'd welcome it if you could prove that wrong with an easy way to create a profile for a different user :-) Regards, Dave.
> > Yes. And this is a good thing! :-) > > There is no reason a normal user should be able to run a service > > process. And services should normally have dedicated accounts, and > > there is no reason you should ever need to log in as that account > > interactively. > > Yes there is, to setup a MAPI profile for the service to use. > > However I'd welcome it if you could prove that wrong with an > easy way to create a profile for a different user :-) Just don't use MAPI from a service. It was *NOT* made for doing that. MAPI was created for a single user running a single-threaded app on a single console. There are plenty of other ways to get to your mail, that will actually work :-) //Magnus
> -----Original Message----- > From: Magnus Hagander [mailto:mha@sollentuna.net] > Sent: 15 November 2005 13:45 > To: Dave Page; Martijn van Oosterhout > Cc: Andreas Joseph Krogh; pgsql-hackers@postgresql.org > Subject: RE: [HACKERS] Running PostGre on DVD > > > > Yes. And this is a good thing! :-) > > > There is no reason a normal user should be able to run a service > > > process. And services should normally have dedicated > accounts, and > > > there is no reason you should ever need to log in as that account > > > interactively. > > > > Yes there is, to setup a MAPI profile for the service to use. > > > > However I'd welcome it if you could prove that wrong with an > > easy way to create a profile for a different user :-) > > Just don't use MAPI from a service. It was *NOT* made for doing that. > MAPI was created for a single user running a single-threaded app on a > single console. > > There are plenty of other ways to get to your mail, that will actually > work :-) Better tell that to the SQL Server team then 'cos that's exactly how the SQL Agent sends mail :-) /D
> > I explain myself about running PostGre as admin. > > > > In fact I don't want specifically run PostGre as admin. The problem > is, on > > the computers the application including PostGre will run, > I'm not sure > > that the user won't have any admin or power user rights. > Furthermore, > > I've noticed that on certain domains, any user created is > > automatically > added > > to > > a default group having power user rights (that is actually happening > to > > me). > > To be honest, the fact that Postgres forces you to run as a > non-admin user has given me nothing but headaches. (yes, I > know, the problem is defaulting everyone to admin rights is > the problem. But that's where I am). I have been kicking > around the idea of posting a change to allow you to run as > admin, This has been proposed before, and always rejected. While you're always welcome to provide a patch, I'm very doubtful it would be accepted into the main product. //Magnus
On Tuesday 15 November 2005 03:05 pm, Magnus Hagander wrote: > > > I explain myself about running PostGre as admin. > > > > > > In fact I don't want specifically run PostGre as admin. The problem > > > > is, on > > > > > the computers the application including PostGre will run, > > > > I'm not sure > > > > > that the user won't have any admin or power user rights. > > > > Furthermore, > > > > > I've noticed that on certain domains, any user created is > > > automatically > > > > added > > > > > to > > > a default group having power user rights (that is actually happening > > > > to > > > > > me). > > > > To be honest, the fact that Postgres forces you to run as a > > non-admin user has given me nothing but headaches. (yes, I > > know, the problem is defaulting everyone to admin rights is > > the problem. But that's where I am). I have been kicking > > around the idea of posting a change to allow you to run as > > admin, > > This has been proposed before, and always rejected. While you're always > welcome to provide a patch, I'm very doubtful it would be accepted into > the main product. Oracle allows you to run it as admin... Don't know about SQL Server... My bet is PG will some day bite the bullet and allow this too as more and more will use PG on Windows. -- Andreas Joseph Krogh <andreak@officenet.no> Senior Software Developer / Manager gpg public_key: http://dev.officenet.no/~andreak/public_key.asc ------------------------+---------------------------------------------+ OfficeNet AS | The most difficult thing in the world is to | Hoffsveien 17 | know how to do a thing and to watch | PO. Box 425 Skøyen | somebody else doing it wrong, without | 0213 Oslo | comment. | NORWAY | | Phone : +47 22 13 01 00 | | Direct: +47 22 13 10 03 | | Mobile: +47 909 56 963 | | ------------------------+---------------------------------------------+
"Magnus Hagander" <mha@sollentuna.net> writes:
>> To be honest, the fact that Postgres forces you to run as a
>> non-admin user has given me nothing but headaches. (yes, I
>> know, the problem is defaulting everyone to admin rights is
>> the problem. But that's where I am). I have been kicking
>> around the idea of posting a change to allow you to run as
>> admin,
> This has been proposed before, and always rejected. While you're always
> welcome to provide a patch, I'm very doubtful it would be accepted into
> the main product.
The example given in this thread certainly isn't going to change
anybody's mind. "Hi, I propose reducing everybody's security because
my local admins insist on an utterly brain-dead security policy."
regards, tom lane
> > The example given in this thread certainly isn't going to change > anybody's mind. "Hi, I propose reducing everybody's security because > my local admins insist on an utterly brain-dead security policy." > What's wrong with that? ;) But seriously, the proposal is not to reduce everybody's security, just make it an option for people that want to. I am not arguing that it is a good idea/bad idea. In fact, the best thing to do may be to leave it in contrib, so if someone thinks it will solve a problem, it is at least a little painful to get to it. But at least by putting it into contrib, it may be useful to someone. Especially if the idea is to put a sample database onto a removable device. I suspect this is for some kind of demo (if not, it could be used for one); you go to a prospects site, pop the CD/DVD into their machine, and show off what your product can do for them. In that case, you may have no control over the permissions on the machine, and you certainly do not want to have to create and switch users for a demo; you've just lost the customers interest. Also, in my case, I'm running the debugger and profiler against Postgres on my Windows machine. I find it much easier to throw out the admin restriction, so I can just use my own account. I agree that my default account should not have had full admin rights, but that is the way the machine came. And yes, I should have immediately created a new user and set myself up on that one. But come on, my old laptop was so old, and I was so excited... sorry, TMI. Mike Pollard SUPRA Server SQL Engineering and Support Cincom Systems, Inc
> > This has been proposed before, and always rejected. While you're > > always welcome to provide a patch, I'm very doubtful it would be > > accepted into the main product. > > The example given in this thread certainly isn't going to change anybody's mind. > "Hi, I propose reducing everybody's security because my local admins insist on an > utterly brain-dead security policy." I think there is still need for discussion in this area for typical Windows desktop use. 1. You can run Windows without creating users at all. 2. You may be using a Windows box where you are not allowed to create a user To apply unix practices to Windows is imho not really practicable. For example a Windows developer usually uses an account with administrative privs and thus cannot run "make check" from his account :-( Andreas
On Tuesday 15 November 2005 03:37 pm, Tom Lane wrote: > "Magnus Hagander" <mha@sollentuna.net> writes: > >> To be honest, the fact that Postgres forces you to run as a > >> non-admin user has given me nothing but headaches. (yes, I > >> know, the problem is defaulting everyone to admin rights is > >> the problem. But that's where I am). I have been kicking > >> around the idea of posting a change to allow you to run as > >> admin, > > > > This has been proposed before, and always rejected. While you're always > > welcome to provide a patch, I'm very doubtful it would be accepted into > > the main product. > > The example given in this thread certainly isn't going to change > anybody's mind. "Hi, I propose reducing everybody's security because > my local admins insist on an utterly brain-dead security policy." Tom, nobody wants to reduce everybody's security, and nobody is proposing changes leading to such. I just believe more than me agree that having this as an option on Windows wouldn't hurt anybody, but would rather make life simpler for some Windows people. Anyway, I don't use Windows on a regular basis, so it's not that important to me... -- Andreas Joseph Krogh <andreak@officenet.no> Senior Software Developer / Manager gpg public_key: http://dev.officenet.no/~andreak/public_key.asc ------------------------+---------------------------------------------+ OfficeNet AS | The most difficult thing in the world is to | Hoffsveien 17 | know how to do a thing and to watch | PO. Box 425 Skøyen | somebody else doing it wrong, without | 0213 Oslo | comment. | NORWAY | | Phone : +47 22 13 01 00 | | Direct: +47 22 13 10 03 | | Mobile: +47 909 56 963 | | ------------------------+---------------------------------------------+
On Tue, Nov 15, 2005 at 04:01:24PM +0100, Andreas Joseph Krogh wrote: > > The example given in this thread certainly isn't going to change > > anybody's mind. "Hi, I propose reducing everybody's security because > > my local admins insist on an utterly brain-dead security policy." > > Tom, nobody wants to reduce everybody's security, and nobody is proposing > changes leading to such. I just believe more than me agree that having this > as an option on Windows wouldn't hurt anybody, but would rather make life > simpler for some Windows people. Anyway, I don't use Windows on a regular > basis, so it's not that important to me... So get the source code and change it and put it on a website for others to use. What's missing is an argument that it should be supported by the default installation... This is free software, if you don't like something, change it. You just can't require other people to go along with it. Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.
I don't understand why an user can't WILLINGLY (by EXPLICITLY setting an OPTION) allow a privileged administrator to run PostGre. It is a MAJOR problem for me, that will force me to use another database because my database will be on a DVD and I'm not sure that on the PC on which it will be executed, the user isn't an admin or that I can create an unprivileged user. To resume, I don't want my user to be unable to run my application for that. The persons specifying this option would know perfectly well the risks linked to it. I'm starting to think the PostGre developpers think the users are children. I'm deeply disappointed to be forced to compile my own PostGre and I will not. Eric LEGUILLIER > > I explain myself about running PostGre as admin. > > > > In fact I don't want specifically run PostGre as admin. The problem > is, on > > the computers the application including PostGre will run, > I'm not sure > > that the user won't have any admin or power user rights. > Furthermore, > > I've noticed that on certain domains, any user created is > > automatically > added > > to > > a default group having power user rights (that is actually happening > to > > me). > > To be honest, the fact that Postgres forces you to run as a > non-admin user has given me nothing but headaches. (yes, I > know, the problem is defaulting everyone to admin rights is > the problem. But that's where I am). I have been kicking > around the idea of posting a change to allow you to run as > admin, This has been proposed before, and always rejected. While you're always welcome to provide a patch, I'm very doubtful it would be accepted into the main product. //Magnus
NO, it won't reduce everybody's security.
You obviously don't understand what I'm trying to say.
It would NOT be the default option. The user could just choose by
SPECIFYING it, that PostGre don't control the privileged he has.
This discussion is amazing. Without this option, I CANNOT use PostGre, and
I think I'm not the only one...
Eric LEGUILLIER
Projet BriqueBackup
"Magnus Hagander" <mha@sollentuna.net> writes:
>> To be honest, the fact that Postgres forces you to run as a
>> non-admin user has given me nothing but headaches. (yes, I
>> know, the problem is defaulting everyone to admin rights is
>> the problem. But that's where I am). I have been kicking
>> around the idea of posting a change to allow you to run as
>> admin,
> This has been proposed before, and always rejected. While you're always
> welcome to provide a patch, I'm very doubtful it would be accepted into
> the main product.
The example given in this thread certainly isn't going to change
anybody's mind. "Hi, I propose reducing everybody's security because
my local admins insist on an utterly brain-dead security policy."
regards, tom lane
On 11/15/05, eric.leguillier@mpsa.com <eric.leguillier@mpsa.com> wrote: > I don't understand why an user can't WILLINGLY (by EXPLICITLY setting an > OPTION) allow a privileged administrator to run PostGre. > It is a MAJOR problem for me, that will force me to use another database > because my database will be on a DVD and I'm not sure that on the PC on > which it will be executed, the user isn't an admin or that I can create an > unprivileged user. To resume, I don't want my user to be unable to run my > application for that. > The persons specifying this option would know perfectly well the risks > linked to it. > I'm starting to think the PostGre developpers think the users are children. > I'm deeply disappointed to be forced to compile my own PostGre and I will > not. You can do it. Modify the source, it's a one line change. Be grateful that you have this privilege that you would lack with a proprietary database. Running as an administrator isn't a matter of taste, it's fundamentally broken from a security perspective. Just as you are (usually) asked to jump through hoops to break the normal promises that the database provide, you will be asked to do so on this one. If you are unable to make a one line change to the source and rebuild the application then you probably are unable to understand the security implications of your decision. I wouldn't call this treating you like a child, I'd call this expecting you to be an adult.
Well, first, you ought to learn the name of the product. It's Postgres or PostgreSQL, but not PostGre. I suspect that you will find other issues anyway in running from a datadir on a read-only medium. I suggest you see if you can do it regardless of this issue. If not, then some other product might suit you better anyway (I believe Firebird has specific support for this, for example.) We have never pretended that Postgres is a perfect fit for every situation. Finally, learn to chill a little. Getting angry doesn't help you or anyone else. cheers andrew eric.leguillier@mpsa.com wrote: > > >NO, it won't reduce everybody's security. > >You obviously don't understand what I'm trying to say. > >It would NOT be the default option. The user could just choose by >SPECIFYING it, that PostGre don't control the privileged he has. > >This discussion is amazing. Without this option, I CANNOT use PostGre, and >I think I'm not the only one... > >Eric LEGUILLIER >Projet BriqueBackup > > > >"Magnus Hagander" <mha@sollentuna.net> writes: > > >>>To be honest, the fact that Postgres forces you to run as a >>>non-admin user has given me nothing but headaches. (yes, I >>>know, the problem is defaulting everyone to admin rights is >>>the problem. But that's where I am). I have been kicking >>>around the idea of posting a change to allow you to run as >>>admin, >>> >>> > > > >>This has been proposed before, and always rejected. While you're always >>welcome to provide a patch, I'm very doubtful it would be accepted into >>the main product. >> >> > >The example given in this thread certainly isn't going to change >anybody's mind. "Hi, I propose reducing everybody's security because >my local admins insist on an utterly brain-dead security policy." > > regards, tom lane > > > >---------------------------(end of broadcast)--------------------------- >TIP 3: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faq > > >
On Tue, 15 Nov 2005 eric.leguillier@mpsa.com wrote: > I don't understand why an user can't WILLINGLY (by EXPLICITLY setting an > OPTION) allow a privileged administrator to run PostGre. Well, to start with, it increases the support costs of the product as a whole to the community. Adding an option with severe security implications is not free, at least not if you want to be reasonably diligent about minimizing and documenting the risks. Generally the community tries to take that seriously, so IMHO just assuming that anyone who sets it knows the risks isn't acceptable. Why don't we actually start looking at the actual implications and see what we can do about them, rather than either assuming they're too great or too minimal. Maybe we'll come up with solutions to current problems as well. > I'm deeply disappointed to be forced to compile my own PostGre and I will > not. Well, given that such an option isn't likely to go in before 8.2 given the policy on dot version changes, I don't think you can get out of compiling a copy unless you have a year before shipping.
Andrew, I'm getting a bit angry (and I'm sorry for that) because I think the performances of Postgres are better than Firebird and I'm frustrated to have to compile it whereas it would be simpler for everybody to have an option. It seem to be impossible though, I will use Firebird. Thanks for your patience. Eric LEGUILLIER Well, first, you ought to learn the name of the product. It's Postgres or PostgreSQL, but not PostGre. I suspect that you will find other issues anyway in running from a datadir on a read-only medium. I suggest you see if you can do it regardless of this issue. If not, then some other product might suit you better anyway (I believe Firebird has specific support for this, for example.) We have never pretended that Postgres is a perfect fit for every situation. Finally, learn to chill a little. Getting angry doesn't help you or anyone else. cheers andrew eric.leguillier@mpsa.com wrote: > > >NO, it won't reduce everybody's security. > >You obviously don't understand what I'm trying to say. > >It would NOT be the default option. The user could just choose by >SPECIFYING it, that PostGre don't control the privileged he has. > >This discussion is amazing. Without this option, I CANNOT use PostGre, and >I think I'm not the only one... > >Eric LEGUILLIER >Projet BriqueBackup > > > >"Magnus Hagander" <mha@sollentuna.net> writes: > > >>>To be honest, the fact that Postgres forces you to run as a >>>non-admin user has given me nothing but headaches. (yes, I >>>know, the problem is defaulting everyone to admin rights is >>>the problem. But that's where I am). I have been kicking >>>around the idea of posting a change to allow you to run as >>>admin, >>> >>> > > > >>This has been proposed before, and always rejected. While you're always >>welcome to provide a patch, I'm very doubtful it would be accepted into >>the main product. >> >> > >The example given in this thread certainly isn't going to change >anybody's mind. "Hi, I propose reducing everybody's security because >my local admins insist on an utterly brain-dead security policy." > > regards, tom lane > > > >---------------------------(end of broadcast)--------------------------- >TIP 3: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faq > > >
On Tue, Nov 15, 2005 at 08:10:40AM -0800, Stephan Szabo wrote: > On Tue, 15 Nov 2005 eric.leguillier@mpsa.com wrote: > > > I don't understand why an user can't WILLINGLY (by EXPLICITLY setting an > > OPTION) allow a privileged administrator to run PostGre. > > Well, to start with, it increases the support costs of the product as a > whole to the community. Adding an option with severe security implications > is not free, at least not if you want to be reasonably diligent about > minimizing and documenting the risks. Generally the community tries to > take that seriously, so IMHO just assuming that anyone who sets it knows > the risks isn't acceptable. > > Why don't we actually start looking at the actual implications and see > what we can do about them, rather than either assuming they're too great > or too minimal. Maybe we'll come up with solutions to current problems as > well. To expand on that, someone has suggested the use of runas, so it would be good to see how that works. The problem here isn't that PostgreSQL refuses to run with admin privledges, it's that the Windows security model is brain-dead. IF it can be shown that there is no reasonable way around Windows 'security' and IF there is enough demand from users then the community might consider a hack that allows running PostgreSQL from an admin account. But as it stands right now, neither of those has been shown. So as Stephan suggested, let's try looking at the root problem and see if there's some way to fix that. -- Jim C. Nasby, Sr. Engineering Consultant jnasby@pervasive.com Pervasive Software http://pervasive.com work: 512-231-6117 vcard: http://jim.nasby.net/pervasive.vcf cell: 512-569-9461
On Tue, Nov 15, 2005 at 09:56:03AM -0500, Pollard, Mike wrote: > a little painful to get to it. But at least by putting it into contrib, > it may be useful to someone. Especially if the idea is to put a sample Keep in mind that compiling something on windows is extremely painful for most people. Unlike unix, the vast majority of windows users don't have a compiler laying around. > Also, in my case, I'm running the debugger and profiler against Postgres > on my Windows machine. I find it much easier to throw out the admin > restriction, so I can just use my own account. I agree that my default > account should not have had full admin rights, but that is the way the > machine came. And yes, I should have immediately created a new user and > set myself up on that one. But come on, my old laptop was so old, and I > was so excited... sorry, TMI. Well, a bigger issue is that windows makes things a lot more difficult to do if you don't have admin on your account. Yes, there is runas, but windows doesn't exactly foster people working from the command line. And IIRC runas isn't nearly as nice to use as sudo. -- Jim C. Nasby, Sr. Engineering Consultant jnasby@pervasive.com Pervasive Software http://pervasive.com work: 512-231-6117 vcard: http://jim.nasby.net/pervasive.vcf cell: 512-569-9461
> Well, a bigger issue is that windows makes things a lot more difficult > to do if you don't have admin on your account. Yes, there is runas, but > windows doesn't exactly foster people working from the command line. And > IIRC runas isn't nearly as nice to use as sudo. Couldn't the installer create a handy dandy icon on the desktop with the correct runas command to start/stop it for a given user or even have a graphical pg_ctl type interface with Start, Stop and Restart buttons that does the right thing behind the scenes? On unix I get a startup script that hides the su and other logic and safeties behind the scenes. --
> -----Original Message----- > From: pgsql-hackers-owner@postgresql.org > [mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of Rod Taylor > Sent: 15 November 2005 16:40 > To: Jim C. Nasby > Cc: Pollard, Mike; pgsql-hackers@postgresql.org > Subject: Re: [HACKERS] Running PostGre on DVD > > > Well, a bigger issue is that windows makes things a lot > more difficult > > to do if you don't have admin on your account. Yes, there > is runas, but > > windows doesn't exactly foster people working from the > command line. And > > IIRC runas isn't nearly as nice to use as sudo. > > Couldn't the installer create a handy dandy icon on the > desktop with the > correct runas command to start/stop it for a given user or even have a > graphical pg_ctl type interface with Start, Stop and Restart buttons > that does the right thing behind the scenes? We do. You can't run from the command line as an admin, but when installed as a service you can start/stop it etc. as an admin, even though the service actually runs under a low privilege account. You can start/stop etc from the command line using 'net start', from the services control panel applet, or using shortcuts we provide on the start menu. Regards, Dave
On Tue, Nov 15, 2005 at 11:39:37AM -0500, Rod Taylor wrote: > > Well, a bigger issue is that windows makes things a lot more difficult > > to do if you don't have admin on your account. Yes, there is runas, but > > windows doesn't exactly foster people working from the command line. And > > IIRC runas isn't nearly as nice to use as sudo. > > Couldn't the installer create a handy dandy icon on the desktop with the > correct runas command to start/stop it for a given user or even have a > graphical pg_ctl type interface with Start, Stop and Restart buttons > that does the right thing behind the scenes? > > > On unix I get a startup script that hides the su and other logic and > safeties behind the scenes. Well, I think the normal windows installer goes and installs PostgreSQL as a service, which eliminates all these problems; but that doesn't help for the case of trying to run a demo. BTW, my point was that the reason many windows users run with admin rights is because windows doesn't provide a viable alternative (unlike OS X). -- Jim C. Nasby, Sr. Engineering Consultant jnasby@pervasive.com Pervasive Software http://pervasive.com work: 512-231-6117 vcard: http://jim.nasby.net/pervasive.vcf cell: 512-569-9461
On Tue, Nov 15, 2005 at 10:58:31AM -0600, Jim C. Nasby wrote: > BTW, my point was that the reason many windows users run with admin > rights is because windows doesn't provide a viable alternative (unlike > OS X). Err, sorry, hit send too soon. My point about OS X isn't meant to start a flame war, only to point out that there are ways to make this work in a GUI environment. Maybe in the future Windows will pick one of those ways up. -- Jim C. Nasby, Sr. Engineering Consultant jnasby@pervasive.com Pervasive Software http://pervasive.com work: 512-231-6117 vcard: http://jim.nasby.net/pervasive.vcf cell: 512-569-9461
We were initially logging out of the Windows GUI environment and back in again to do the Windows builds. Discovering runas made the whole process MUCH less painful. So far I haven't needed to use any advanced features of sudo or runas; in my view either is easy to use for the common cases. I'll admit it gets a little messy getting into the msys/mingw environment as another user. I gave an example of how we used it this way recently: http://archives.postgresql.org/pgsql-hackers/2005-11/msg00750.php This wouldn't help with the "run from DVD" situation without having a user to runas. -Kevin >>> "Jim C. Nasby" <jnasby@pervasive.com> >>> Yes, there is runas, but windows doesn't exactly foster people working from the command line. And IIRC runas isn't nearly as nice to use as sudo.
> NO, it won't reduce everybody's security. > > You obviously don't understand what I'm trying to say. > > It would NOT be the default option. The user could just choose by > SPECIFYING it, that PostGre don't control the privileged he has. > > This discussion is amazing. Without this option, I CANNOT use PostGre, and > I think I'm not the only one... > > Eric LEGUILLIER > Projet BriqueBackup It's been fine for 15 years on Unix. Chris