Re: PgSQL not as Administrator - probs on w

Andrew Dunstan wrote:

>Merlin Moncure said:
>
>
>>Steve Tibbett wrote:
>>
>>
>>>It is normal on Windows for users to have admin rights on the local
>>>system.  As much as this needs to be changed, you're not going to
>>>change it.  If you insist on not running on an account with admin
>>>rights, you're just going to frustrate users
>>>
>>>You could say "Windows is inherently insecure; refusing to run".  That
>>>would make the port much simpler.  :)
>>>
>>>A warning is appropriate I think.. but refusing to run is going
>>>overboard.  Just my two cents.
>>>
>>>
>>I disagree completely.  Opening a tcp/ip server with this level of
>>complexity for root access is a recipe for disaster.  Wait until an
>>exploit pops up and hundreds of win32 boxes get rooted.  This would be
>>a huge embarrassment and would be awful press.  Do you really want to
>>allow for this scenario?
>>
>>
>>
>
>One compromise might be that we refuse to run with elevated privs on Windows
>if configured to listen on more than localhost. Then developers with admin
>privs could play happily, but server admins would need to do the Right Thing
>(tm). Of course, if another local service could be induced to do bad things
>via postgres that would be no protection, but at least we would not be the
>primary attack vector.
>
>
>
A sql injection vulnerability in an application could still compromise
the local machine.  It's better to be safe than sorry.