| From: | Jason Tishler <jason(at)tishler(dot)net> |
|---|---|
| To: | Dan Holmsand <dan(at)eyebee(dot)com> |
| Cc: | pgsql-cygwin(at)postgresql(dot)org |
| Subject: | Re: Initdb fails... Again! |
| Date: | 2003-01-27 21:44:38 |
| Message-ID: | 20030127214438.GF2124@tishler.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-cygwin |
Dan,
On Mon, Jan 27, 2003 at 10:10:55PM +0100, Dan Holmsand wrote:
> There are some (important, IMHO) advantages to run init as uid 0
> (a.k.a. root), instead of as LocalSystem:
Not really, see below...
> 1) You can log on as root. More importantly, you can use W2K's "Run
> as" utility to run e.g. rxvt as root, and execute init scripts
> interactively (as in "/etc/rc.d/init.d/sshd restart").
You *can* log on as LocalSystem via ssh:
1. Replace the following /etc/passwd line:
SYSTEM:*:18:544:,S-1-5-18::
with something like:
SYSTEM:*:18:18:Local System,U-TISHLERJASON\LocalSystem,S-1-5-18:/home/system:/bin/bash
2. Add your keys to ~system/.ssh/authorized_keys
3. ssh system(at)localhost
There is also cmdasuser:
http://www.develop.com/kbrown/security/sample_cmdasuser.htm
which can switch user to LocalSystem too.
> That makes life a *lot* easier when debugging, temporarily disabling
> services, etc. Executing typical sysv init scripts as another user,
> e.g. "Administrator", will result in failure or disaster (depending
> on script and privileges).
See above.
> 2) You can use su when running as root. Also makes life a lot easier:
> just say "su postgres -c 'psql template1'" to administer postgresql.
Ditto.
> 3) You probably *gain* some security. Many (most?) unix daemons behave
> differently when run as uid 0, in order to prevent certain exploits or
> configuration errors when running as root. Just one example: apache
> (wisely) refuses to run with "User root" in httpd.conf, but happily
> accepts "User system".
>
> Unless such programs are really, really carefully ported to Cygwin,
> you get a security hole when running them as uid 18 (i.e. "SYSTEM").
Then those ports (e.g., apache) are broken and should be fixed. For
example, my fetchmail, procmail, and vsftpd ports recognized uid 18 as
the root uid and behave accordingly.
> 4) It just feels a bit more unixy :-)
I guess so, but when in Rome... :,)
Jason
--
PGP/GPG Key: http://www.tishler.net/jason/pubkey.asc or key servers
Fingerprint: 7A73 1405 7F2B E669 C19D 8784 1AFD E4CC ECF4 8EF6
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Kirol | 2003-01-27 22:41:50 | Plperl, createlang fails |
| Previous Message | Dan Holmsand | 2003-01-27 21:10:55 | Re: Initdb fails... Again! |