| From: | "MauMau" <maumau307(at)gmail(dot)com> |
|---|---|
| To: | <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | [bug fix] pg_ctl fails with config-only directory |
| Date: | 2013-12-04 14:27:02 |
| Message-ID: | 180B62C99398442C999DEC7A1BB2DCB9@maumau |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello,
I've found a bug and would like to fix it, but I cannot figure out how to do
that well. Could you give me any advice? I encountered this on PG 9.2, but
it will probably exist in later versions.
[Problem]
On Windows, a user with Administrator privileges can start the database
server. However, when he uses config-only directory, the database server
cannot be started. "pg_ctl start" fails with the following messages:
Execution of PostgreSQL by a user with administrative permissions is not
permitted.
The server must be started under an unprivileged user ID to prevent
possible system security compromises. See the documentation for
more information on how to properly start the server.
[Cause]
pg_ctl runs "postgres -C data_directory" to know the data directory. But
postgres cannot be run by a user with Administrator privileges, and displays
the above messages.
[Fix]
It is ideal that users with administrative privileges can start postgres,
with the Administrator privileges removed.
Currently, initdb and pg_ctl take trouble to invoke postgres in a process
with restricted privileges. I understand this improvement was done in 8.2
or 8.3 for convenience. The same convenience should be available when
running postgres directly, at least "postgres -C",
"postgres --describe-config", and "postgres --single".
Then, how can we do this? Which approach should we take?
* Approach 1
When postgres starts, it removes Administrator privileges from its own
process. But is this possible at all? Windows security API is complex and
provides many functions. It seems difficult to understand them. I'm afraid
it would take a long time to figure out the solution. Is there any good web
page to look at?
* Approach 2
Do not call check_root() on Windows when -C, --describe-config, or --single
is specified when running postgres. This would be easy, and should not be
dangerous in terms of security because attackers cannot get into the server
process via network.
I'll try to find a solution based on approach 1, but I doubt there's one.
If okay, I want to take approach 2. Could you give me your thoughts?
Regards
MauMau
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ian Lawrence Barwick | 2013-12-04 14:47:46 | Re: FDW: possible resjunk columns in AddForeignUpdateTargets |
| Previous Message | Mitsumasa KONDO | 2013-12-04 14:16:29 | Re: Time-Delayed Standbys |