Re: BUG #16341: Installation with EnterpriseDB Community installer in NT AUTHORITY\SYSTEM context not possible

Hi Bert,

I am not able to reproduce the issue on normal users while I am only
getting an error message while I run installer on Domain control Admin
Account.

Please find the issue on snapshot.

Is this the same problem you are facing?

On Mon, Apr 6, 2020 at 7:11 PM Bert Brezel <pg(dot)dba(dot)iit(dot)team(at)gmail(dot)com>
wrote:

> Hi, thank you for your reply. I answered below your comments.
>
> On Fri, Apr 3, 2020 at 7:47 PM PG Bug reporting form <
> noreply(at)postgresql(dot)org> wrote:
>
>> The following bug has been logged on the website:
>>
>> Bug reference: 16341
>> Logged by: Enrico La Torre
>> Email address: pg(dot)dba(dot)iit(dot)team(at)gmail(dot)com
>> PostgreSQL version: 9.6.17
>> Operating system: Windows Server 2016
>> Description:
>>
>> Hi,
>>
>> it could be that the same bug was reported in
>>
>> https://www.postgresql.org/message-id/16001-fa33ba75a039fc7d%40postgresql.org
>> , but nobody answered until today.
>>
>> It is impossible for me to install PostgreSQL 9.6.17 with the EnterpriseDB
>> installer (free Community Edition) on Windows Server 2016 in the security
>> context of NT AUTHORITY\SYSTEM.
>
>
> Can you elaborate this please?
>
> I use psexec.exe from the Sysinternals Suite
> <https://docs.microsoft.com/de-de/sysinternals/downloads/sysinternals-suite> to
> get a PowerShell cmd shell in NT AUTHORITY\SYSTEM context. whoami returns
> 'nt authority\system'.
> If I then start the installer with '.\postgresql-9.6.17-1-windows-x64.exe'
> the interactive installer starts and returns the given error message. To be
> precise, only the logo of EnterpriseDB is shown and then the error message
> appears.
> Usually we call the installer in the unattended mode in our scripts but it
> even fails in the interactive mode now. So I ruled out any error with the
> argument list of the installer call.
>
>
>> If I start the installer with a regular
>> domain admin account, which is also local administrator, the installer
>> starts.
>>
>> OK
>
>
>> I receive the error message:
>> "Error running icacls "C:\Windows\Temp/postgresql_installer_ca555e4059" /T
>> /Q /grant "<DOMAIN>/<COMPUTERNAME>$:(OI)(CI)F":
>> C:\Windows\Temp/postgresql_installer_ca555e4059\*: Access is denied"
>>
>> I disclaimed The log file of the installer
>> 'C:\Windows\Temp\install-postgresql.log' is never written.
>>
>> There must be files starting with bitrock*
>
> The file 'C:\Windows\Temp\bitrock_installer.log' shows (I also attached
> the file to this mail):
>
> Log started 04/06/2020 at 15:51:53
> Preferred installation mode : qt
> Trying to init installer in mode qt
> Mode qt successfully initialized
> Executing icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1"
> /inheritance:r
> Script exit code: 0
>
> Script output:
> processed file: C:\Windows\Temp/postgresql_installer_f37cf0f7f1
> Successfully processed 1 files; Failed processing 0 files
>
> Script stderr:
>
>
> Executing icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1" /T /Q
> /grant "ALDI-199\911-092STL01$:(OI)(CI)F"
> Script exit code: 5
>
> Script output:
> Successfully processed 1 files; Failed processing 1 files
>
> Script stderr:
> C:\Windows\Temp/postgresql_installer_f37cf0f7f1\*: Access is denied.
>
> Error running icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1" /T
> /Q /grant "ALDI-199\911-092STL01$:(OI)(CI)F":
> C:\Windows\Temp/postgresql_installer_f37cf0f7f1\*: Access is denied.
> Cannot delete file C:/Windows/Temp/postgresql_installer_f37cf0f7f1
> Exiting with code 1
>
>
>
>
>> SYSTEM has FULL CONTROL for 'C:\Windows\Temp'. Created directories in this
>> directory by SYSTEM inherit FULL CONTROL from the parent. But if I check
>> the
>> temporary directory '.\postgresql_installer_ca555e4059' I see that the
>> inheritance is disabled for this particular directory. Only the principal
>> named <DOMAIN>/<COMPUTERNAME>$ has FULL CONTROL not SYSTEM.
>>
>> Sure, once I receive the logs I may ask you to get the ACLs for some
> directories which will give us more clues.
>
>
>> The same issue is also true for PostgreSQL 12.2. The last time this
>> procedure worked that I know is with the installer for PostgreSQL 9.6.12.
>>
>> Kind regards
>>
>>
>
> Am Mo., 6. Apr. 2020 um 14:27 Uhr schrieb Sandeep Thakkar <
> sandeep(dot)thakkar(at)enterprisedb(dot)com>:
>
>> Hi,
>>
>>
>>
>> On Fri, Apr 3, 2020 at 7:47 PM PG Bug reporting form <
>> noreply(at)postgresql(dot)org> wrote:
>>
>>> The following bug has been logged on the website:
>>>
>>> Bug reference: 16341
>>> Logged by: Enrico La Torre
>>> Email address: pg(dot)dba(dot)iit(dot)team(at)gmail(dot)com
>>> PostgreSQL version: 9.6.17
>>> Operating system: Windows Server 2016
>>> Description:
>>>
>>> Hi,
>>>
>>> it could be that the same bug was reported in
>>>
>>> https://www.postgresql.org/message-id/16001-fa33ba75a039fc7d%40postgresql.org
>>> , but nobody answered until today.
>>>
>>> It is impossible for me to install PostgreSQL 9.6.17 with the
>>> EnterpriseDB
>>> installer (free Community Edition) on Windows Server 2016 in the security
>>> context of NT AUTHORITY\SYSTEM.
>>
>>
>> Can you elaborate this please?
>>
>>
>>> If I start the installer with a regular
>>> domain admin account, which is also local administrator, the installer
>>> starts.
>>>
>>> OK
>>
>>
>>> I receive the error message:
>>> "Error running icacls "C:\Windows\Temp/postgresql_installer_ca555e4059"
>>> /T
>>> /Q /grant "<DOMAIN>/<COMPUTERNAME>$:(OI)(CI)F":
>>> C:\Windows\Temp/postgresql_installer_ca555e4059\*: Access is denied"
>>>
>>> I disclaimed The log file of the installer
>>> 'C:\Windows\Temp\install-postgresql.log' is never written.
>>>
>>> There must be files starting with bitrock*
>>
>>
>>> SYSTEM has FULL CONTROL for 'C:\Windows\Temp'. Created directories in
>>> this
>>> directory by SYSTEM inherit FULL CONTROL from the parent. But if I check
>>> the
>>> temporary directory '.\postgresql_installer_ca555e4059' I see that the
>>> inheritance is disabled for this particular directory. Only the principal
>>> named <DOMAIN>/<COMPUTERNAME>$ has FULL CONTROL not SYSTEM.
>>>
>>> Sure, once I receive the logs I may ask you to get the ACLs for some
>> directories which will give us more clues.
>>
>>
>>> The same issue is also true for PostgreSQL 12.2. The last time this
>>> procedure worked that I know is with the installer for PostgreSQL 9.6.12.
>>>
>>> Kind regards
>>>
>>>
>>
>> --
>> Sandeep Thakkar
>>
>>
>>

--
Fahar Abbas
QMG
EnterpriseDB Corporation
Phone Office: +92-51-835-8874
Phone Direct: +92-51-8466803
Mobile: +92-333-5409707
Skype ID: *live:fahar.abbas*
Website: www.enterprisedb.com