Re: Run-as-admin warning for win32

Tom Lane said:
> Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
>> Tom Lane wrote:
>>> Why? If we refuse to run as root on Unix, I do not see an argument
>>> for being more forgiving on Windows.
>
>> I am not sure it is as easy to run as non-admin on Win32 as it is to
>> run as non-root on Unix. Is it?
>
> Ease of use has nothing to do with this. Given the demonstrated
> security weaknesses of Windows, we would be completely irresponsible to
> allow Postgres to be started in an obviously-insecure way on that
> platform.
>
> In other words, I do not wish to be the author of code that could
> become the vector for the next SQL Slammer worm.
>

Me either :-)

> I am already deathly afraid of what the Windows port is likely to do to
> Postgres' reputation for reliability and security. Do *not* get me
> started by proposing that we insert obvious security holes on lame
> "ease of use" grounds. Haven't the boys in Redmond already proven the
> wrongness of those priorities many times over?
>

If we are going to enforce the 'must be non-privileged user' on Windows,
there are some things we need to do, I think:

. enforce the rule in initdb (currently it does not, on Windows).
. if the installer is running as Administrator, it should create a
Postgres user
. if the installer is going to install the service, it should run initdb
as the postgres user (is that possible?) and install the service to run as
that user.

IOW, we need to make it as easy as possible to be secure.

cheers

andrew