On Mon, Jan 27, 2003 at 10:10:55PM +0100, Dan Holmsand wrote:
> There are some (important, IMHO) advantages to run init as uid 0
> (a.k.a. root), instead of as LocalSystem:
Not really, see below...
> 1) You can log on as root. More importantly, you can use W2K's "Run
> as" utility to run e.g. rxvt as root, and execute init scripts
> interactively (as in "/etc/rc.d/init.d/sshd restart").
You *can* log on as LocalSystem via ssh:
1. Replace the following /etc/passwd line:
with something like:
2. Add your keys to ~system/.ssh/authorized_keys
3. ssh system(at)localhost
There is also cmdasuser:
which can switch user to LocalSystem too.
> That makes life a *lot* easier when debugging, temporarily disabling
> services, etc. Executing typical sysv init scripts as another user,
> e.g. "Administrator", will result in failure or disaster (depending
> on script and privileges).
> 2) You can use su when running as root. Also makes life a lot easier:
> just say "su postgres -c 'psql template1'" to administer postgresql.
> 3) You probably *gain* some security. Many (most?) unix daemons behave
> differently when run as uid 0, in order to prevent certain exploits or
> configuration errors when running as root. Just one example: apache
> (wisely) refuses to run with "User root" in httpd.conf, but happily
> accepts "User system".
> Unless such programs are really, really carefully ported to Cygwin,
> you get a security hole when running them as uid 18 (i.e. "SYSTEM").
Then those ports (e.g., apache) are broken and should be fixed. For
example, my fetchmail, procmail, and vsftpd ports recognized uid 18 as
the root uid and behave accordingly.
> 4) It just feels a bit more unixy :-)
I guess so, but when in Rome... :,)
PGP/GPG Key: http://www.tishler.net/jason/pubkey.asc or key servers
Fingerprint: 7A73 1405 7F2B E669 C19D 8784 1AFD E4CC ECF4 8EF6
In response to
pgsql-cygwin by date
|Next:||From: David Kirol||Date: 2003-01-27 22:41:50|
|Subject: Plperl, createlang fails|
|Previous:||From: Dan Holmsand||Date: 2003-01-27 21:10:55|
|Subject: Re: Initdb fails... Again!|