Merlin Moncure said:
> Steve Tibbett wrote:
>> It is normal on Windows for users to have admin rights on the local
>> system. As much as this needs to be changed, you're not going to
>> change it. If you insist on not running on an account with admin
>> rights, you're just going to frustrate users
>>
>> You could say "Windows is inherently insecure; refusing to run". That
>> would make the port much simpler. :)
>>
>> A warning is appropriate I think.. but refusing to run is going
>> overboard. Just my two cents.
>
> I disagree completely. Opening a tcp/ip server with this level of
> complexity for root access is a recipe for disaster. Wait until an
> exploit pops up and hundreds of win32 boxes get rooted. This would be
> a huge embarrassment and would be awful press. Do you really want to
> allow for this scenario?
>
One compromise might be that we refuse to run with elevated privs on Windows
if configured to listen on more than localhost. Then developers with admin
privs could play happily, but server admins would need to do the Right Thing
(tm). Of course, if another local service could be induced to do bad things
via postgres that would be no protection, but at least we would not be the
primary attack vector.
cheers
andrew