Re: [HACKERS] Minimising windows installer password confusion

2012-06-15 Thread Craig Ringer
On 06/14/2012 11:59 PM, Dave Page wrote: On Thu, Jun 14, 2012 at 11:43 AM, Dave Page wrote: I'll have a play with it and see if a simple switch to NetworkService seems feasible. OK, I worked up a patch which uses "NT AUTHORITY\NetworkService" as the service account by default. This doesn't nee

Re: [HACKERS] Minimising windows installer password confusion

2012-06-14 Thread Dave Page
On Thu, Jun 14, 2012 at 5:38 PM, Robert Haas wrote: > On Thu, Jun 14, 2012 at 11:59 AM, Dave Page wrote: >> On Thu, Jun 14, 2012 at 11:43 AM, Dave Page wrote: >>> >>> I'll have a play with it and see if a simple switch to NetworkService >>> seems feasible. >> >> OK, I worked up a patch which use

Re: [HACKERS] Minimising windows installer password confusion

2012-06-14 Thread Robert Haas
On Thu, Jun 14, 2012 at 11:59 AM, Dave Page wrote: > On Thu, Jun 14, 2012 at 11:43 AM, Dave Page wrote: >> >> I'll have a play with it and see if a simple switch to NetworkService >> seems feasible. > > OK, I worked up a patch which uses "NT AUTHORITY\NetworkService" as > the service account by d

Re: [HACKERS] Minimising windows installer password confusion

2012-06-14 Thread Dave Page
On Thu, Jun 14, 2012 at 11:43 AM, Dave Page wrote: > > I'll have a play with it and see if a simple switch to NetworkService > seems feasible. OK, I worked up a patch which uses "NT AUTHORITY\NetworkService" as the service account by default. This doesn't need a password, so allows us to simply p

Re: [HACKERS] Minimising windows installer password confusion

2012-06-14 Thread Dave Page
On Thu, Jun 14, 2012 at 12:55 AM, Craig Ringer wrote: > On 06/13/2012 05:14 PM, Dave Page wrote: >> >> On Wed, Jun 13, 2012 at 2:18 AM, Craig Ringer >> wrote: >>> >>> On 06/12/2012 08:08 PM, Dave Page wrote: Some background: By default the installer will use 'postgres' for both the

Re: [HACKERS] Minimising windows installer password confusion

2012-06-13 Thread Craig Ringer
On 06/13/2012 06:32 PM, Florian Pflug wrote: Some further googling indicates that, yes, the service account passwords are stored in the registry, but are only accessible to the LocalSystem account [2]. Querying them from the postgres installer thus isn't really an option. But what you could do, I

Re: [HACKERS] Minimising windows installer password confusion

2012-06-13 Thread Craig Ringer
On 06/13/2012 05:18 PM, Dave Page wrote: On Wed, Jun 13, 2012 at 3:07 AM, Craig Ringer Why "using the windows control panel" ? Because when I wrote the email I was looking for a simple solution that wouldn't require writing code that has potential to fail depending on how the users environme

Re: [HACKERS] Minimising windows installer password confusion

2012-06-13 Thread Craig Ringer
On 06/13/2012 05:14 PM, Dave Page wrote: On Wed, Jun 13, 2012 at 2:18 AM, Craig Ringer wrote: On 06/12/2012 08:08 PM, Dave Page wrote: Some background: By default the installer will use 'postgres' for both the service (OS) account, and the database superuser account. It will use the same passw

Re: [HACKERS] Minimising windows installer password confusion

2012-06-13 Thread Craig Ringer
On 06/13/2012 05:10 PM, Dave Page wrote: The idea of storing the password in clear text in the registry gives me nervous twitches. Me too. It's horrible, and I really dislike the idea. I can't imagine that Microsoft don't have a better solution to this. I talked to some Microsoft people at a

Re: [HACKERS] Minimising windows installer password confusion

2012-06-13 Thread Florian Pflug
On Jun13, 2012, at 11:10 , Dave Page wrote: > On Wed, Jun 13, 2012 at 2:12 AM, Craig Ringer > wrote: >> >> Users don't remember passwords, though. It's one of those constants, and is >> why practically every web site etc out there offers password recovery. >> >> The installer IMO needs to store

Re: [HACKERS] Minimising windows installer password confusion

2012-06-13 Thread Dave Page
On Wed, Jun 13, 2012 at 3:07 AM, Craig Ringer wrote: > On 06/13/2012 01:19 AM, Sachin Srivastava wrote: >> >> >> On Tue, Jun 12, 2012 at 7:43 PM, Dave Page > > wrote: >> >>    On Tue, Jun 12, 2012 at 2:57 PM, Robert Haas >    > wrote: > > >>

Re: [HACKERS] Minimising windows installer password confusion

2012-06-13 Thread Dave Page
On Wed, Jun 13, 2012 at 2:18 AM, Craig Ringer wrote: > On 06/12/2012 08:08 PM, Dave Page wrote: >> >> Some background: By default the installer will use 'postgres' for both >> the service (OS) account, and the database superuser account. It will >> use the same password for both (though, users hav

Re: [HACKERS] Minimising windows installer password confusion

2012-06-13 Thread Dave Page
On Wed, Jun 13, 2012 at 2:12 AM, Craig Ringer wrote: > > Users don't remember passwords, though. It's one of those constants, and is > why practically every web site etc out there offers password recovery. > > The installer IMO needs to store the postgres account password in a registry > key with

Re: [HACKERS] Minimising windows installer password confusion

2012-06-12 Thread Craig Ringer
On 06/13/2012 01:19 AM, Sachin Srivastava wrote: On Tue, Jun 12, 2012 at 7:43 PM, Dave Page mailto:dp...@pgadmin.org>> wrote: On Tue, Jun 12, 2012 at 2:57 PM, Robert Haas mailto:robertmh...@gmail.com>> wrote: > What we need is to display a different dialogue based on the situati

Re: [HACKERS] Minimising windows installer password confusion

2012-06-12 Thread Craig Ringer
On 06/12/2012 08:08 PM, Dave Page wrote: Some background: By default the installer will use 'postgres' for both the service (OS) account, and the database superuser account. It will use the same password for both (though, users have complete control at the command line if they want it, which is w

Re: [HACKERS] Minimising windows installer password confusion

2012-06-12 Thread Craig Ringer
On 06/12/2012 08:48 PM, Dave Page wrote: I'm not keen on adding additional user accounts - that's a security problem imho. It's also an issue for add-ons like PgAgent that aren't necessarily tied to one exact version of Pg. That makes sense. I just think we should try very hard to make the ins

Re: [HACKERS] Minimising windows installer password confusion

2012-06-12 Thread Sachin Srivastava
On Tue, Jun 12, 2012 at 7:43 PM, Dave Page wrote: > On Tue, Jun 12, 2012 at 2:57 PM, Robert Haas > wrote: > > On Tue, Jun 12, 2012 at 8:53 AM, Dave Page wrote: > >>> Oh, I certainly wouldn't do it without *informing* and verifying it > >>> with the user. > >> > >> That'll add additional steps f

Re: [HACKERS] Minimising windows installer password confusion

2012-06-12 Thread Dave Page
On Tue, Jun 12, 2012 at 2:57 PM, Robert Haas wrote: > On Tue, Jun 12, 2012 at 8:53 AM, Dave Page wrote: >>> Oh, I certainly wouldn't do it without *informing* and verifying it >>> with the user. >> >> That'll add additional steps for all users, and likely confuse the >> novices even more. > > The

Re: [HACKERS] Minimising windows installer password confusion

2012-06-12 Thread Robert Haas
On Tue, Jun 12, 2012 at 8:53 AM, Dave Page wrote: >> Oh, I certainly wouldn't do it without *informing* and verifying it >> with the user. > > That'll add additional steps for all users, and likely confuse the > novices even more. The real issue here is that it's nuts to tell the user "please ent

Re: [HACKERS] Minimising windows installer password confusion

2012-06-12 Thread Dave Page
On Tue, Jun 12, 2012 at 1:49 PM, Magnus Hagander wrote: > >> >> I'm not keen on adding additional user accounts - that's a security >> problem imho. It'll leave the unaware user with multiple accounts on >> the system, and may cause those that do understand what's going on >> pain because they'll

Re: [HACKERS] Minimising windows installer password confusion

2012-06-12 Thread Magnus Hagander
On Tue, Jun 12, 2012 at 2:48 PM, Dave Page wrote: > On Tue, Jun 12, 2012 at 1:35 PM, Kevin Grittner > wrote: >> Magnus Hagander  wrote: >>> Kevin Grittner  wrote: >> Are they running the installation as a system administrator? If so, rather than throwing up an error message and telling

Re: [HACKERS] Minimising windows installer password confusion

2012-06-12 Thread Dave Page
On Tue, Jun 12, 2012 at 1:35 PM, Kevin Grittner wrote: > Magnus Hagander  wrote: >> Kevin Grittner  wrote: > >>> Are they running the installation as a system administrator? If >>> so, rather than throwing up an error message and telling them to >>> go use other tools to reset the password, is it

Re: [HACKERS] Minimising windows installer password confusion

2012-06-12 Thread Kevin Grittner
Magnus Hagander wrote: > Kevin Grittner wrote: >> Are they running the installation as a system administrator? If >> so, rather than throwing up an error message and telling them to >> go use other tools to reset the password, is it possible for the >> administrator account to force a password

Re: [HACKERS] Minimising windows installer password confusion

2012-06-12 Thread Magnus Hagander
On Tue, Jun 12, 2012 at 2:26 PM, Kevin Grittner wrote: > Dave Page  wrote: > >> Probably the most common issue we see from Windows users of >> PostgreSQL is confusion over the passwords the installer asks for >> during installation and upgrade. > > Yeah, I think so. > >> Attached are some screensh

Re: [HACKERS] Minimising windows installer password confusion

2012-06-12 Thread Kevin Grittner
Dave Page wrote: > Probably the most common issue we see from Windows users of > PostgreSQL is confusion over the passwords the installer asks for > during installation and upgrade. Yeah, I think so. > Attached are some screenshots of the current installation and > upgrade steps in question,