Local Admin Priveleges (was Re: initdb crash)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think the idea is if you give people the ability to run the server in
any fashion as an account with admin rights, they will leave it running
because it is "working" for them. So if the programs they want to run
only needs access to a local machine, then they would run in admin mode,
and just leave it. That leaves it open for someone else to escalate
their priveledges.

However, I do think it is safe enough (security is always a trade-off
after all.) If you really want it, you could allow administrator, but
not allow remote connections, and only run for a limited period of time.

I still think this person would benifit from figuring out how to get it
working as an unpriv. user, though. Actually, I think the best long-term
solution is to just have an installer that can create a local user
account, and install/initdb such that all permissions are right (I would
even suggest having it install only as a service). Then we wouldn't have
to worry about a lot of this.

John
=:->

Gary Doades wrote:
| On 4 Jul 2004 at 14:37, Magnus Hagander wrote:
|
|
|>Can't run without TCPIP on win32...
|
|
| It should be possible to reject anything that is not 127.0.0.1
|
| What about anonymous pipes? These are local only by definition. Maybe
not for this
| release. but maybe later?
|
|
|>Anyway. It is a security threat in the way that it helps an indirect
|>attack. Say a SQL injection attack would suddenly give you local admin
|>instead of just an unpriv account. A lot better place to get started if
|>you want to take over a server...
|
|
| Absolutely! but...
|
| You must have had admin privs to start the postmaster as an admin user
anyway so why
| is this a problem? I'm only suggesting that this would be easier for a
developer on their
| local system or all those folks out there who want to see what
PostgreSQL can do. As
| long as admin privs are restricted to the local system (by whatever
means) then it should
| be allowed.
|
| You should definitely NOT be able to start postmaster with admin privs
and give network
| access.
|
| Cheers,
| Gary.
|
| ---------------------------(end of broadcast)---------------------------
| TIP 2: you can get off all lists at once with the unregister command
|     (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA6B8IJdeBCYSNAAMRAkgsAJ4xjJTlw+GqbMOUPMpeUH3Xg44X/ACeMGeA
peOje5Ti2G/CsTOoUZ4zCUs=
=EWwP
-----END PGP SIGNATURE-----