> > > Ah, now we are making progress. If there was a way to > give up file > > > access permissions so you could no longer write files to, > say, the > > > Windows System directory, this would go a long way to solving the > > > issue. Currently, if the Postmaster runs as admin, anyone with > > > access to the database could use COPY to read and write > any file the > > > backend can access. > > > > Getting rid of the admin and powerusers group should do > that, I think. > > Look at pgwin32_is_admin(), it just checks if the user is > member of one of those two groups. I think we have your > solution right here...
Oh, I know - I wrote it :-) You still lose in the nested group scenario. And whlie a privilege like backup/restore can be used to overwrite any file on the system, you must be able to execute arbitrary API calls to do that. Whereas with admin/powerusers you can just use COPY or whatever. Bottom line is that pgwin32_is_admin() is far from perfect, it just catches the most common scenarios. //Magnus ---------------------------(end of broadcast)--------------------------- TIP 2: Don't 'kill -9' the postmaster
