Re: Proof of concept: standalone backend with full FE/BE protocol

On Mon, Sep 3, 2012 at 8:51 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> On Mon, Sep 3, 2012 at 7:07 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>> Hmm, after looking at src/port/kill.c it doesn't seem like there's much
>>> of a problem with doing that.  I had had the idea that our kill
>>> emulation only worked within the backend environment, but of course
>>> pg_ctl wouldn't work if that were so.  So this is easier than I thought.
>
>> Yeah, kill works fine from non-backend as long as the *receiver* has
>> our backend environment.
>
> I have another question after thinking about that for awhile: is there
> any security concern there?  On Unix-oid systems, we expect the kernel
> to restrict who can do a kill() on a postgres process.  If there's any
> similar restriction on who can send to that named pipe in the Windows
> version, it's not obvious from the code.  Do we have/need any
> restriction there?

We use the default for CreateNamedPipe() which is:
" The ACLs in the default security descriptor for a named pipe grant
full control to the LocalSystem account, administrators, and the
creator owner. They also grant read access to members of the Everyone
group and the anonymous account."
(ref: http://msdn.microsoft.com/en-us/library/windows/desktop/aa365150(v=vs.85).aspx)

Given that we only respond to writes (we don't "publish information"
over it), I think that's a reasonable default to use.


-- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/