On Tue, Nov 15, 2005 at 08:43:06PM +0100, Magnus Hagander wrote: > Ok. Didn't know that part about nonexistant ids.
Usernames are implementation details, if you ask to become user 38587, the kernel doesn't check whether they exist. You just might not be able to open any files anymore :) > > For example, does the windows model allow you to say (without > > creating a new user): I irrevocably restrict my access to > > files owned by user X for this process *only*. Or to files > > under subdirectory Y. Or I irrevocably restrict my access to > > open new network sockets. Or irrevocably restrict my access > > to create new users. > > Not entirely sure. You can get rid of privileges, and you can get rid of > group memberships. Don't think you can do it for a specific file, > because that's driven by the ACL on the file and not on the token. (You > can get rid of the group that had permissions on it which would give you > the same effect, but if someone granted your account direct permissions > on it, you'd still be able to access it). Ah, now we are making progress. If there was a way to give up file access permissions so you could no longer write files to, say, the Windows System directory, this would go a long way to solving the issue. Currently, if the Postmaster runs as admin, anyone with access to the database could use COPY to read and write any file the backend can access. > Hmm. I guess we could try the approach of dropping groups in pg_ctl > before we even call postmaster... Should be doable, if someone wants to > do the lifting. Tha way we could keep the admin check in the postmaster, > because we'd get rid of admin before we got there... Actually, it could possibly be acceptable to do it inside the postmaster itself. It doesn't really matter where it's done, as long as it permanently restricts the access of the postmaster from then on. Quickly looking, I found a site [1] that refers to OpenProcessToken() and AdjustTokenPrivileges() which appears to allow you to drop permissions you have. There is also something called CreateRestrictedToken() which can then to passed to CreateProcessAsUser(). Maybe one of the Win32 hackers want to look into this to see what can be done. [1] http://www.winterdom.com/dev/security/tokens.html Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.
pgpf859fJkwLf.pgp
Description: PGP signature