Best practice for running pgsql under cygwin?

Best practice for running pgsql under cygwin?

[Ryan Johnson]

Hi all,

I'm trying to set up pgsql for classroom instruction, which means I need 
to allow students to connect to my machine, preferably with no OS-level 
privileges and minimal database privileges. Setting up the database 
roles looks straightforward enough, but I'm having trouble figuring out 
how to secure the machine. In particular, the advice to run pgsql as an 
unprivileged user seems very good, but all the official docs I can find 
for doing so require su/sudo and useradd. Installing pgsql as a service 
using the script in /etc/rc.d runs it as the SYSTEM user, which is 
anything but unprivileged [1][2]; it seems like the LocalService or 
NetworkService account [3] would be a much better choice.

The pgsql README in /usr/doc/cygwin contains no useful information on 
the topic; there are lots of third-party pages offering "helpful" advice 
for cygwin+pgsql, but we all know how reliable those are (especially 
since the most recent one I can find dates from 2008).

Does anybody have some advice on how I might proceed? Note that I don't 
actually need it to run as a Windows service, it's just that most docs I 
can find seem to point that way. If it would be better to create a pgsql 
account (perhaps with help from cygwin-service-installation-helper.sh), 
I'd be happy to go that way as well.

Thanks in advance,
Ryan

[1] http://support.microsoft.com/kb/120929
[2] 
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190%28v=vs.85%29.aspx
[3] 
http://msdn.microsoft.com/en-us/library/windows/desktop/ms686005%28v=vs.85%29.aspx



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Best practice for running pgsql under cygwin?

[Andrey Repin]

Greetings, Ryan Johnson!

> I'm trying to set up pgsql for classroom instruction, which means I need
> to allow students to connect to my machine, preferably with no OS-level 
> privileges and minimal database privileges.

If your class is about setting up the server, you should really use virtual
machines.
If it's about using SQL on already running server, it makes no difference, if
you've your server as Cygwin port or native application - clients will never
know.

> Setting up the database roles looks straightforward enough, but I'm having
> trouble figuring out how to secure the machine.

It is unclear to me, why you need to let students access the machine.

> In particular, the advice to run pgsql as an
> unprivileged user seems very good, but all the official docs I can find 
> for doing so require su/sudo and useradd. Installing pgsql as a service 
> using the script in /etc/rc.d runs it as the SYSTEM user, which is 
> anything but unprivileged [1][2]; it seems like the LocalService or 
> NetworkService account [3] would be a much better choice.

> The pgsql README in /usr/doc/cygwin contains no useful information on 
> the topic; there are lots of third-party pages offering "helpful" advice 
> for cygwin+pgsql, but we all know how reliable those are (especially 
> since the most recent one I can find dates from 2008).

> Does anybody have some advice on how I might proceed? Note that I don't 
> actually need it to run as a Windows service, it's just that most docs I 
> can find seem to point that way. If it would be better to create a pgsql 
> account (perhaps with help from cygwin-service-installation-helper.sh), 
> I'd be happy to go that way as well.


--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 22.12.2012, <18:31>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Best practice for running pgsql under cygwin?

[Ryan Johnson]

On 22/12/2012 7:36 AM, Andrey Repin wrote:
> Greetings, Ryan Johnson!
>
>> I'm trying to set up pgsql for classroom instruction, which means I need
>> to allow students to connect to my machine, preferably with no OS-level
>> privileges and minimal database privileges.
> If your class is about setting up the server, you should really use virtual
> machines.
> If it's about using SQL on already running server, it makes no difference, if
> you've your server as Cygwin port or native application - clients will never
> know.
>
>> Setting up the database roles looks straightforward enough, but I'm having
>> trouble figuring out how to secure the machine.
> It is unclear to me, why you need to let students access the machine.
Most student work will be done on private installs of pgsql, which they 
can set up however they'd like.

However, we're going to do classroom demos at times, including one where 
we have fun with different isolation levels; I'll need multiple students 
logged into the same database so they can mess with each others' 
interactive transactions.

Thanks,
Ryan


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Best practice for running pgsql under cygwin?

[bartels]

On 12/22/2012 05:18 PM, Ryan Johnson wrote:
>
> However, we're going to do classroom demos at times, including one where we have fun with different isolation levels; I'll need multiple 
> students logged into the same database so they can mess with each others' interactive transactions. 

Postgres has a native Windows installer, does tcp very well and has excellent access control.

It is not clear to me where cygwin comes in, or what it is you are trying to protect.

- bartels

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Best practice for running pgsql under cygwin?

[Andrey Repin]

Greetings, Ryan Johnson!

> On 22/12/2012 7:36 AM, Andrey Repin wrote:
>> Greetings, Ryan Johnson!
>>
>>> I'm trying to set up pgsql for classroom instruction, which means I need
>>> to allow students to connect to my machine, preferably with no OS-level
>>> privileges and minimal database privileges.
>> If your class is about setting up the server, you should really use virtual
>> machines.
>> If it's about using SQL on already running server, it makes no difference, if
>> you've your server as Cygwin port or native application - clients will never
>> know.
>>
>>> Setting up the database roles looks straightforward enough, but I'm having
>>> trouble figuring out how to secure the machine.
>> It is unclear to me, why you need to let students access the machine.
> Most student work will be done on private installs of pgsql, which they 
> can set up however they'd like.

> However, we're going to do classroom demos at times, including one where 
> we have fun with different isolation levels; I'll need multiple students 
> logged into the same database so they can mess with each others' 
> interactive transactions.

The answer remains the same - use virtual machines. Probably, with Linux.
Then you would be able to have pre-made system installations for every class,
and what more important, you could easily restore each VM to the state you
want it in for a next group of students taking the same class.


--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 23.12.2012, <05:51>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple