> > > Ah, now we are making progress. If there was a way to
> give up file
> > > access permissions so you could no longer write files to,
> say, the
> > > Windows System directory, this would go a long way to solving the
> > > issue. Currently, if the Postmaster runs as admin, anyone with
> > > access to the database could use COPY to read and write
> any file the
> > > backend can access.
> >
> > Getting rid of the admin and powerusers group should do
> that, I think.
>
> Look at pgwin32_is_admin(), it just checks if the user is
> member of one of those two groups. I think we have your
> solution right here...

Oh, I know - I wrote it :-)

You still lose in the nested group scenario.

And whlie a privilege like backup/restore can be used to overwrite any
file on the system, you must be able to execute arbitrary API calls to
do that. Whereas with admin/powerusers you can just use COPY or
whatever.

Bottom line is that pgwin32_is_admin() is far from perfect, it just
catches the most common scenarios.

//Magnus

---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster

On Tue, Nov 15, 2005 at 10:29:34PM +0100, Magnus Hagander wrote:
> You still lose in the nested group scenario.
>
> And whlie a privilege like backup/restore can be used to overwrite any
> file on the system, you must be able to execute arbitrary API calls to
> do that. Whereas with admin/powerusers you can just use COPY or
> whatever.

Well, like you said, what's the problem we're trying to solve. It seems
to me that Windows doesn't have a clearly defined concept of
"superuser" and hence it can't be tested for. Having seperate API
points to access files that require different priviledges just makes it
more complicated.

There isn't a simple way to say, limit my access to this directory tree
(like chroot())? Surely as admin you could create tokens and add them
to the PGDATA directory and then allow only access to directories with
that token. Since PostgreSQL doesn't actually require priviledges,
couldn't you just enumerate and drop them all?

Maybe allow a cripple mode where you refuse to load objects or allow
COPY. Or run any functions in untrusted languages. Still seems to me to
be a failure in the OS that you can't just say "drop everything except
this".

> Bottom line is that pgwin32_is_admin() is far from perfect, it just
> catches the most common scenarios.

My method would be: try to open file for writing in the Windows System
directory. If that works you've got too much priviledge...

Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDelhbIB7bNG8LQkwRAi5hAJ9GUxs0RPP8oyOW8LamdM Komu8UOACcCMuL
icX8PG7C11GRi949uZ7QtMA=
=ctfU
-----END PGP SIGNATURE-----