| From: | "Tsunakawa, Takayuki" <tsunakawa(dot)takay(at)jp(dot)fujitsu(dot)com> |
|---|---|
| To: | 'Michael Paquier' <michael(dot)paquier(at)gmail(dot)com> |
| Cc: | MauMau <maumau307(at)gmail(dot)com>, Breen Hagan <breen(at)rtda(dot)com>, "Heikki Linnakangas" <hlinnaka(at)iki(dot)fi>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled |
| Date: | 2016-11-08 03:16:33 |
| Message-ID: | 0A3221C70F24FB45833433255569204D1F63C6C9@G01JPEXMBYT05 |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs pgsql-hackers |
From: pgsql-hackers-owner(at)postgresql(dot)org
> [mailto:pgsql-hackers-owner(at)postgresql(dot)org] On Behalf Of Michael Paquier
> https://msdn.microsoft.com/ja-jp/library/windows/desktop/ms684190(v=vs
> > .85).aspx
>
> That's what I looked at as well :) And this part is what caught my attention,
> meaning that it is not used by anything else than the SCM:
> "The LocalSystem account is a predefined local account used by the service
> control manager."
The same thing is said about other two special accounts, so they need to be checked if we really believe we need to check for LocalSystem.
"The LocalService account is a predefined local account used by the service control manager."
"The NetworkService account is a predefined local account used by the service control manager."
But, in practice, SECURITY_SERVICE_RID has turned out to be enough.
> And this implies, at least it seems to me, that trying to run Postgres as
> this user is actually not something you'd want to do.
Yes, I think people should avoid using LocalSystem for user services like PostgreSQL for security reasons. But the Services applet in the Control Panel allows to select LocalSystem, and pg_ctl register creates a service with LocalSystem account when -U is omitted.
Regards
Takayuki Tsunakawa
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2016-11-08 03:20:27 | Re: Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled |
| Previous Message | Michael Paquier | 2016-11-08 02:57:58 | Re: Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2016-11-08 03:20:27 | Re: Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled |
| Previous Message | Craig Ringer | 2016-11-08 03:12:33 | Re: C based plugins, clocks, locks, and configuration variables |