On Thu, Dec 5, 2013 at 6:30 PM, MauMau <maumau...@gmail.com> wrote: > From: "Amit Kapila" <amit.kapil...@gmail.com> >> >> On Wed, Dec 4, 2013 at 7:57 PM, MauMau <maumau...@gmail.com> wrote: >>> >> >> Approach-2 has been discussed previously to resolve it and it doesn't seem >> to be >> a good way to handle it. Please refer link: >> http://www.postgresql.org/message-id/1339601668-sup-4...@alvh.no-ip.org >> >> You can go through that mail chain and see if there can be a better >> solution than Approach-2. > > > Thanks for the info. I understand your feeling, but we need to be > practical. I believe we should not leave a bug and inconvenience by > worrying about theory too much. In addition to the config-only directory, > the DBA with admin privs will naturally want to run "postgres -C" and > "postgres --describe-config", because they are useful and so described in > the manual. I don't see any (at least big) risk in allowing postgres > -C/--describe-config to run with admin privs.
Today, I had again gone through all the discussion that happened at that time related to this problem and I found that later in discussion it was discussed something on lines as your Approach-2, please see the link http://www.postgresql.org/message-id/503a879c.6070...@dunslane.net > In addition, recent Windows > versions help to secure the system by revoking admin privs with UAC, don't > they? Disabling UAC is not recommended. > > I couldn't find a way to let postgres delete its token groups from its own > primary access token. There doesn't seem to be a reasonably clean and good > way. Wouldn't the other way to resolve this problem be reinvoke pg_ctl in non-restricted mode for the case in question? > So I had to choose approach 2. Please find attached the patch. This simple > and not-complex change worked well. I'd like to add this to 2014-1 > commitfest this weekend unless a better approach is proposed. I think it is important to resolve this problem, so please godhead and upload this patch to next CF. With Regards, Amit Kapila. EnterpriseDB: http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers