Re: initdb crash

From: "Magnus Hagander" <mha(at)sollentuna(dot)net>
To: "Gary Doades" <gpd(at)gpdnet(dot)co(dot)uk>, <pgsql-hackers-win32(at)postgresql(dot)org>
Subject: Re: initdb crash
Date: 2004-07-04 13:47:18
Message-ID: 6BCB9D8A16AC4241919521715F4D8BCE34BDD3@algol.sollentuna.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers-win32

>> Can't run without TCPIP on win32...
>
>It should be possible to reject anything that is not 127.0.0.1

Oh yes. And bind to just 127.0.0.1. Should be safe with tcp, yes.

>What about anonymous pipes? These are local only by
>definition. Maybe not for this
>release. but maybe later?

I doubt we'd want to do those - that would be a whole new layer of code
in libpq, since they're not compatible with the socket calls.

>> Anyway. It is a security threat in the way that it helps an indirect
>> attack. Say a SQL injection attack would suddenly give you
>local admin
>> instead of just an unpriv account. A lot better place to get
>started if
>> you want to take over a server...
>
>Absolutely! but...
>
>You must have had admin privs to start the postmaster as an
>admin user anyway so why is this a problem?

This has nothing to do with possible attack vectors using SQL injection,
for example. The admin starts the service. The SQL injection comes in
though the webserver at a later time (and hey, if you don't even allow
that one to connect to your server, then don't bother running it).
Now sure, this is a bug in the web application, but there are thousands
of webapps out tehre with just this kind of bug. And by not allowing the
server to run as admin, we help the admins decrease the surface that
this kind of attack can actually hit.

>I'm only suggesting that this would be easier for a developer on their
>local system or all those folks out there who want to see what
>PostgreSQL can do. As
>long as admin privs are restricted to the local system (by
>whatever means) then it should be allowed.

How do you intend to prevent that? We don't even prevent that today. You
can have admin on the network but not on the local machine, and we
*will* let you start it. But there is no way to end up in that situation
without tweaking several locations.

The one argument I buy is the one for making it easier for developers. I
guess one way would be a commandline option that permits it to run as
admin. In doing this, it should also *FORCE* connections to permit
127.0.0.1 only, and emit a screenful of warnings about how bad this is.
But sure, in a developers VM or otherwise secured machine, it's not a
major issue.

Not sure if this would be accepted, though. Tom/others?

//Magnus

Responses

Browse pgsql-hackers-win32 by date

  From Date Subject
Next Message Magnus Hagander 2004-07-04 13:48:38 Re: PgSQL not as Administrator - probs on w
Previous Message nitrogenycs 2004-07-04 13:36:43 Re: initdb crash