Re: 9.2 beta2 - pg_ctl crashes on Win32 when neither PGDATA nor -D specified

> Unfortunately in src/backend/main/main.c it only does a cursory check
> for --help and --version. So it would need to become a little more
> complicated to scan for -C options at that stage. It's not too much
> if you can assume -C always appears first like the other special
> options detected in that file.

I am doubtful whether we should make such an exception for -C option, as
this will
be a change in behavior as compare to previous versions.
How to do in code is next step.
According to me the solution I have proposed is safer and already initdb
handles in same way.

I am waiting for other people opinion on this issue.

Please suggest whether this problem needs to be fixed and
what is best way to fix it among below or it should be fixed in some other
way.
1. pg_ctl invoke itself in a restricted mode, similar to initdb.
2. postgres to handle -C calls without checking if it's running as root.

-----Original Message-----
From: Edmund Horner [mailto:ejrh00(at)gmail(dot)com]
Sent: Wednesday, June 13, 2012 6:26 AM
To: Amit Kapila
Cc: Tom Lane; pgsql-bugs(at)postgresql(dot)org; Bruce Momjian
Subject: Re: [BUGS] 9.2 beta2 - pg_ctl crashes on Win32 when neither PGDATA
nor -D specified

On 13 June 2012 00:54, Amit Kapila <amit(dot)kapila(at)huawei(dot)com> wrote:
>>> I note that "postgres -C data_directory" will refuse to run on the
>>> command line because I've got admin privileges in Windows, and that
>>> pg_ctl normally starts postgres.exe using CreateRestrictedProcess.
>>> But it does not do so for the popen call in adjust_data_dir.
>
>> if that actually is a third bug, as seems likely, somebody with access
>> to a windows environment will need to deal with it.
>
> I am able to reproduce this problem, "that pg_ctl throws error for
> administrative user in the mentioned code path".
>
> One solution to this problem is that pg_ctl invoke itself in a restricted
> mode, similar to initdb.
> This will allow popen call to be successful in pg_ctl code path.

Perhaps an alternative solution is to get postgres to handle -C calls
without checking if it's running as root. The command does not do
much more than read the config file, print a value from it, and exit.

Unfortunately in src/backend/main/main.c it only does a cursory check
for --help and --version. So it would need to become a little more
complicated to scan for -C options at that stage. It's not too much
if you can assume -C always appears first like the other special
options detected in that file.

But you might not want to make an exception for -C. And I realise the
check is a security feature, and it's best to err on the side of
defensive programming and maintainability.

Edmund.