On Wed, Jul 07, 2004 at 02:01:57PM +0100, nobody wrote:
> To begin with I am not sure this is a correct place to post this, if not
> please let me know.
>
> The PostgreSQL traditionally refuses to run under root account on Unix (for
> security reasons). On win32 the situation is the same (it will not run if
> run under user belonging to administrator group).
> In my opinion this should not be the case on win32 as developers are likely
> to belong to the administrators group and might like to run the database
> under their account.
Think carefully about this. If the DB runs with admin rights, you've
just given any person who connects to the database full rights to read
and write any file on disk. Look at the COPY IN/OUT command and the
lo_import/export() functions. They run with the priveledges of the
*backend* not the frontend. So any connecting user would be able to
lo_import() any file on disk and then display it for perusal.
This is why on unix it runs as it's own user. Then it can only read
other people's world-readable files.
> I think that issuing a warning (pop up window) at the start-up of the
> postmaster would be enough, something like:
>
> "Starting under privileged account is considered unsafe. Please consider
> starting the database server under different user account."
Eeeuw, pop-up windows for a database server. No doubt it should stop
the database starting up waiting for someone to press OK. Very useful
(*not*) if you want to start the database from a script on a remote
machine.
Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.