[HACKERS] [bug fix] pg_ctl fails with config-only directory

Wed, 04 Dec 2013 06:27:10 -0800 

Hello,
I've found a bug and would like to fix it, but I cannot figure out how to do that well. Could you give me any advice? I encountered this on PG 9.2, but it will probably exist in later versions. 

[Problem]

On Windows, a user with Administrator privileges can start the database 
server.  However, when he uses config-only directory, the database server 
cannot be started.  "pg_ctl start" fails with the following messages:


Execution of PostgreSQL by a user with administrative permissions is not
permitted.
The server must be started under an unprivileged user ID to prevent
possible system security compromises.  See the documentation for
more information on how to properly start the server.


[Cause]

pg_ctl runs "postgres -C data_directory" to know the data directory.  But 
postgres cannot be run by a user with Administrator privileges, and displays 
the above messages.



[Fix]

It is ideal that users with administrative privileges can start postgres, 
with the Administrator privileges removed.



Currently, initdb and pg_ctl take trouble to invoke postgres in a process 
with restricted privileges.  I understand this improvement was done in 8.2 
or 8.3 for convenience.  The same convenience should be available when 
running postgres directly, at least "postgres -C", 
"postgres --describe-config", and "postgres --single".


Then, how can we do this?  Which approach should we take?

* Approach 1

When postgres starts, it removes Administrator privileges from its own 
process.  But is this possible at all?  Windows security API is complex and 
provides many functions.  It seems difficult to understand them.  I'm afraid 
it would take a long time to figure out the solution.  Is there any good web 
page to look at?


* Approach 2

Do not call check_root() on Windows when -C, --describe-config, or --single 
is specified when running postgres.  This would be easy, and should not be 
dangerous in terms of security because attackers cannot get into the server 
process via network.



I'll try to find a solution based on approach 1, but I doubt there's one. 
If okay, I want to take approach 2.  Could you give me your thoughts?


Regards
MauMau



--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers






















					Reply via email to