Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled

From: Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
To: Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
Cc: Breen Hagan <breen(at)rtda(dot)com>, PostgreSQL mailing lists <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled
Date: 2016-04-08 06:48:11
Message-ID: CAB7nPqSvfu=KpJ=NX+YAHmgAmQdzA7N5h31BjzXeMgczhGCC+Q@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox
Thread:
Lists: pgsql-bugs pgsql-hackers

On Tue, Apr 5, 2016 at 12:58 PM, Michael Paquier
<michael(dot)paquier(at)gmail(dot)com> wrote:
> On Tue, Apr 5, 2016 at 1:08 AM, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> wrote:
>> Michael Paquier wrote:
>>> This is not resolved yet, this just fell from my radar and I recall
>>> that I spent some time thinking about the consequences and whereabouts
>>> of using either SE_GROUP_ENABLED or SE_GROUP_USE_FOR_DENY_ONLY,
>>> without actually reaching a conclusion. I think that the patch would
>>> be straight-forward. But it needs a bit of review from the author
>>> (Hi!) and some extra input would be welcome. I guess I could try to
>>> look at that again.. That won't be this week for sure though.
>>
>> Bump.
>
> Don't worry. This has not fallen from my radar yet..

So I have been looking at this issue again and finished with the patch
attached. I think that it makes the most sense to browse the whole
list of groups, and choose if Postgres is running as a service if
service SID matches with one of the group SIDs listed, on top of which
this group SID should be enabled via SE_GROUP_ENABLED. Checking for
SE_GROUP_USE_FOR_DENY_ONLY would not make much sense, because it would
mean that SE_GROUP_ENABLED is not set, and that's what we are
interested in. That was in short the point of Breen, and it looks to
be the saner way to go.

What do others think?
--
Michael

Attachment Content-Type Size
win32-security-service-v2.patch invalid/octet-stream 466 bytes

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Magnus Hagander 2016-04-08 11:38:42 Re: [HACKERS] BUG #13854: SSPI authentication failure: wrong realm name used
Previous Message Magnus Hagander 2016-04-08 05:29:47 Re: [BUGS] Re: BUG #13854: SSPI authentication failure: wrong realm name used

Browse pgsql-hackers by date

  From Date Subject
Next Message Etsuro Fujita 2016-04-08 07:05:37 Re: Optimization for updating foreign tables in Postgres FDW
Previous Message Robert Haas 2016-04-08 06:46:05 Re: Refactoring speculative insertion with unique indexes a little