Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled

Michael,

I'm pretty sure your patch will fix my issue, but perhaps it should be a
positive check for SE_GROUP_ENABLED? I say "perhaps" because the last time
I did any serious Windows coding was 2005.

Thanks for the quick response!

Breen

On Thu, Nov 5, 2015 at 9:39 AM, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
wrote:

> On Wed, Nov 4, 2015 at 3:23 PM, <breen(at)rtda(dot)com> wrote:
> > Short version: pgwin32_is_service checks the process token for
> > SECURITY_SERVICE_RID by doing an EqualSid check. This will match
> against a
> > SECURITY_SERVICE_RID that has been disabled ("use_for_deny_only"),
> causing
> > PG to think it's a service when it is not. This causes it to attempt to
> log
> > to the event log, but this doesn't work, and so there is no logging at
> all.
>
> OK. So if I am following correctly... If Postgres process uses a
> SECURITY_SERVICE_RID SID that has SE_GROUP_USE_FOR_DENY_ONLY enabled
> it will try to access to the event logs but will be denied as all
> accesses are denied with this attribute, right?
>
> What do you think about the patch attached then?
> --
> Michael
>