Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled

From: Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
To: breen(at)rtda(dot)com
Cc: PostgreSQL mailing lists <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled
Date: 2015-11-05 15:39:09
Message-ID: CAB7nPqQG_BL6Ct=DRgn5=REODErXwosRAGk6B6BemGWJFjeoow@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox
Thread:
Lists: pgsql-bugs pgsql-hackers

On Wed, Nov 4, 2015 at 3:23 PM, <breen(at)rtda(dot)com> wrote:
> Short version: pgwin32_is_service checks the process token for
> SECURITY_SERVICE_RID by doing an EqualSid check. This will match against a
> SECURITY_SERVICE_RID that has been disabled ("use_for_deny_only"), causing
> PG to think it's a service when it is not. This causes it to attempt to log
> to the event log, but this doesn't work, and so there is no logging at all.

OK. So if I am following correctly... If Postgres process uses a
SECURITY_SERVICE_RID SID that has SE_GROUP_USE_FOR_DENY_ONLY enabled
it will try to access to the event logs but will be denied as all
accesses are denied with this attribute, right?

What do you think about the patch attached then?
--
Michael

Attachment Content-Type Size
20151105_windows_sid_deny.patch application/x-patch 918 bytes

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Breen Hagan 2015-11-05 16:00:30 Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled
Previous Message Michael Paquier 2015-11-05 06:00:51 Re: Re: BUG #13685: Archiving while idle every archive_timeout with wal_level hot_standby

Browse pgsql-hackers by date

  From Date Subject
Next Message Breen Hagan 2015-11-05 16:00:30 Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled
Previous Message Fabien COELHO 2015-11-05 15:36:40 Re: pgbench gaussian/exponential docs improvements