Re: Proof of concept: standalone backend with full FE/BE protocol

On Mon, Sep 3, 2012 at 8:51 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> On Mon, Sep 3, 2012 at 7:07 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>> Hmm, after looking at src/port/kill.c it doesn't seem like there's much
>>> of a problem with doing that. I had had the idea that our kill
>>> emulation only worked within the backend environment, but of course
>>> pg_ctl wouldn't work if that were so. So this is easier than I thought.
>
>> Yeah, kill works fine from non-backend as long as the *receiver* has
>> our backend environment.
>
> I have another question after thinking about that for awhile: is there
> any security concern there? On Unix-oid systems, we expect the kernel
> to restrict who can do a kill() on a postgres process. If there's any
> similar restriction on who can send to that named pipe in the Windows
> version, it's not obvious from the code. Do we have/need any
> restriction there?

We use the default for CreateNamedPipe() which is:
" The ACLs in the default security descriptor for a named pipe grant
full control to the LocalSystem account, administrators, and the
creator owner. They also grant read access to members of the Everyone
group and the anonymous account."
(ref: http://msdn.microsoft.com/en-us/library/windows/desktop/aa365150(v=vs.85).aspx)

Given that we only respond to writes (we don't "publish information"
over it), I think that's a reasonable default to use.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/