| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | breen(at)rtda(dot)com |
| Cc: | PostgreSQL mailing lists <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled |
| Date: | 2015-11-05 15:39:09 |
| Message-ID: | CAB7nPqQG_BL6Ct=DRgn5=REODErXwosRAGk6B6BemGWJFjeoow@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs pgsql-hackers |
On Wed, Nov 4, 2015 at 3:23 PM, <breen(at)rtda(dot)com> wrote:
> Short version: pgwin32_is_service checks the process token for
> SECURITY_SERVICE_RID by doing an EqualSid check. This will match against a
> SECURITY_SERVICE_RID that has been disabled ("use_for_deny_only"), causing
> PG to think it's a service when it is not. This causes it to attempt to log
> to the event log, but this doesn't work, and so there is no logging at all.
OK. So if I am following correctly... If Postgres process uses a
SECURITY_SERVICE_RID SID that has SE_GROUP_USE_FOR_DENY_ONLY enabled
it will try to access to the event logs but will be denied as all
accesses are denied with this attribute, right?
What do you think about the patch attached then?
--
Michael
| Attachment | Content-Type | Size |
|---|---|---|
| 20151105_windows_sid_deny.patch | application/x-patch | 918 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Breen Hagan | 2015-11-05 16:00:30 | Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled |
| Previous Message | Michael Paquier | 2015-11-05 06:00:51 | Re: Re: BUG #13685: Archiving while idle every archive_timeout with wal_level hot_standby |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Breen Hagan | 2015-11-05 16:00:30 | Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled |
| Previous Message | Fabien COELHO | 2015-11-05 15:36:40 | Re: pgbench gaussian/exponential docs improvements |