Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled

Hi,

Sorry for the delay in response. We don't presently build postgres for
Windows (we do for linux and macos), but I'm willing to give it a shot if
there is a solid doc on setting up the build. That would probably be
easier than doing a test program.

Breen

On Wed, Sep 21, 2016 at 7:50 AM, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:

> On 04/08/2016 09:48 AM, Michael Paquier wrote:
>
>> So I have been looking at this issue again and finished with the patch
>> attached. I think that it makes the most sense to browse the whole
>> list of groups, and choose if Postgres is running as a service if
>> service SID matches with one of the group SIDs listed, on top of which
>> this group SID should be enabled via SE_GROUP_ENABLED. Checking for
>> SE_GROUP_USE_FOR_DENY_ONLY would not make much sense, because it would
>> mean that SE_GROUP_ENABLED is not set, and that's what we are
>> interested in. That was in short the point of Breen, and it looks to
>> be the saner way to go.
>>
>
> Yeah, seems like the right way. pgwin32_is_admin() also checks for
> SE_GROUP_ENABLED.
>
> I think this is ready to be committed, except that I don't have an easy
> way to reproduce the original problem to test this. I suppose I could write
> a test program to call CreateRestrictedToken() and CreateProcessAsUser(),
> but would rather avoid the work. Breen, if I push a fix for this, can you
> build from sources and verify that it fixes your original problem? Or
> alternatively, can you provide a test program that I can use to verify it?
>
> - Heikki
>
>