Re: Re: BUG #5065: pg_ctl start fails as administrator, with "could not locate matching postgres executable"

On Mon, Oct 19, 2009 at 7:03 PM, Andrew Dunstan <andrew(at)dunslane(dot)net> wrote:
>
> However, I'd like a bit more comment added on just why doing this is safe.

The patch doesn't change what the code aims to do, only the way it
does it. The existing code does this:

- Creates a restricted security token
- Creates a new (suspended) process using that token
- Adds an ACE for the current user to the DACL for the new process
- Resumes (un-suspends) the process

The patch changes that to:

- Creates a restricted security token
- Adds an ACE for the current user to the DACL for the new token
- Creates a new (suspended) process using that token
- Resumes (un-suspends) the process

The net result /should/ be the same, but the second method is
apparently a little more robust.

> Would it still be safe if someone granted some dangerous privilege directly
> to the Administrator user, if that's possible?

The patch doesn't change that at all, but yes, I believe it is safe
because we drop all privileges when we create the restricted token,
and we then grant access (by adding an ACE) for the user using the
GENERIC_ALL flag, which (AIUI) just gives GENERIC_READ, GENERIC_WRITE
and GENERIC_EXECUTE privileges, and *not* any of the 'standard' or
'specific' rights (which include the more important/dangerous things
like DACL write access).

See:

http://msdn.microsoft.com/en-us/library/aa374892%28VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/aa374951%28VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/aa446583%28VS.85%29.aspx

--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com
PGDay.EU 2009 Conference: http://2009.pgday.eu/start