Re: BUG #16341: Installation with EnterpriseDB Community installer in NT AUTHORITY\SYSTEM context not possible

Hi Bert,

We have generated a "test" installer with the fix for v11 and uploaded it
here
<https://drive.google.com/file/d/1XTQo9C3ZEwQ7KuwOXmwBhC3FE77-chAP/view>.
Could you please verify if it fixes the issue? If it does, then we would
release an update for all affected versions. Thank you.

On Wed, Apr 15, 2020 at 8:35 PM Bert Brezel <pg(dot)dba(dot)iit(dot)team(at)gmail(dot)com>
wrote:

> Hi Fahar, hi Sandeep
>
> thank you for investigating.
>
> As mentioned earlier, the installation works with a domain account. The
> domain account is also member of the local administrator group of the
> server where I get the error message.
>
> I get the error I reported if I try to start the installer in NT
> AUTHORITY\SYSTEM security context. I get this context by using psexec.exe.
>
> The last installer I know of that worked for me was 9.6.12.
>
> Kind regards
>
> Am Sa., 11. Apr. 2020 um 07:12 Uhr schrieb Sandeep Thakkar <
> sandeep(dot)thakkar(at)enterprisedb(dot)com>:
>
>> Fahar, Bert,
>>
>> It's reproducible at my end. I'll investigate and get back to you.
>>
>> On Fri, Apr 10, 2020 at 6:58 PM Fahar Abbas <fahar(dot)abbas(at)enterprisedb(dot)com>
>> wrote:
>>
>>> Hi Bert,
>>>
>>> I am not able to reproduce the issue on normal users while I am only
>>> getting an error message while I run installer on Domain control Admin
>>> Account.
>>>
>>> Please find the issue on snapshot.
>>>
>>> Is this the same problem you are facing?
>>>
>>> On Mon, Apr 6, 2020 at 7:11 PM Bert Brezel <pg(dot)dba(dot)iit(dot)team(at)gmail(dot)com>
>>> wrote:
>>>
>>>> Hi, thank you for your reply. I answered below your comments.
>>>>
>>>> On Fri, Apr 3, 2020 at 7:47 PM PG Bug reporting form <
>>>> noreply(at)postgresql(dot)org> wrote:
>>>>
>>>>> The following bug has been logged on the website:
>>>>>
>>>>> Bug reference: 16341
>>>>> Logged by: Enrico La Torre
>>>>> Email address: pg(dot)dba(dot)iit(dot)team(at)gmail(dot)com
>>>>> PostgreSQL version: 9.6.17
>>>>> Operating system: Windows Server 2016
>>>>> Description:
>>>>>
>>>>> Hi,
>>>>>
>>>>> it could be that the same bug was reported in
>>>>>
>>>>> https://www.postgresql.org/message-id/16001-fa33ba75a039fc7d%40postgresql.org
>>>>> , but nobody answered until today.
>>>>>
>>>>> It is impossible for me to install PostgreSQL 9.6.17 with the
>>>>> EnterpriseDB
>>>>> installer (free Community Edition) on Windows Server 2016 in the
>>>>> security
>>>>> context of NT AUTHORITY\SYSTEM.
>>>>
>>>>
>>>> Can you elaborate this please?
>>>>
>>>> I use psexec.exe from the Sysinternals Suite
>>>> <https://docs.microsoft.com/de-de/sysinternals/downloads/sysinternals-suite> to
>>>> get a PowerShell cmd shell in NT AUTHORITY\SYSTEM context. whoami returns
>>>> 'nt authority\system'.
>>>> If I then start the installer with
>>>> '.\postgresql-9.6.17-1-windows-x64.exe' the interactive installer starts
>>>> and returns the given error message. To be precise, only the logo of
>>>> EnterpriseDB is shown and then the error message appears.
>>>> Usually we call the installer in the unattended mode in our scripts but
>>>> it even fails in the interactive mode now. So I ruled out any error with
>>>> the argument list of the installer call.
>>>>
>>>>
>>>>> If I start the installer with a regular
>>>>> domain admin account, which is also local administrator, the installer
>>>>> starts.
>>>>>
>>>>> OK
>>>>
>>>>
>>>>> I receive the error message:
>>>>> "Error running icacls
>>>>> "C:\Windows\Temp/postgresql_installer_ca555e4059" /T
>>>>> /Q /grant "<DOMAIN>/<COMPUTERNAME>$:(OI)(CI)F":
>>>>> C:\Windows\Temp/postgresql_installer_ca555e4059\*: Access is denied"
>>>>>
>>>>> I disclaimed The log file of the installer
>>>>> 'C:\Windows\Temp\install-postgresql.log' is never written.
>>>>>
>>>>> There must be files starting with bitrock*
>>>>
>>>> The file 'C:\Windows\Temp\bitrock_installer.log' shows (I also attached
>>>> the file to this mail):
>>>>
>>>> Log started 04/06/2020 at 15:51:53
>>>> Preferred installation mode : qt
>>>> Trying to init installer in mode qt
>>>> Mode qt successfully initialized
>>>> Executing icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1"
>>>> /inheritance:r
>>>> Script exit code: 0
>>>>
>>>> Script output:
>>>> processed file: C:\Windows\Temp/postgresql_installer_f37cf0f7f1
>>>> Successfully processed 1 files; Failed processing 0 files
>>>>
>>>> Script stderr:
>>>>
>>>>
>>>> Executing icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1" /T
>>>> /Q /grant "ALDI-199\911-092STL01$:(OI)(CI)F"
>>>> Script exit code: 5
>>>>
>>>> Script output:
>>>> Successfully processed 1 files; Failed processing 1 files
>>>>
>>>> Script stderr:
>>>> C:\Windows\Temp/postgresql_installer_f37cf0f7f1\*: Access is denied.
>>>>
>>>> Error running icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1"
>>>> /T /Q /grant "ALDI-199\911-092STL01$:(OI)(CI)F":
>>>> C:\Windows\Temp/postgresql_installer_f37cf0f7f1\*: Access is denied.
>>>> Cannot delete file C:/Windows/Temp/postgresql_installer_f37cf0f7f1
>>>> Exiting with code 1
>>>>
>>>>
>>>>
>>>>
>>>>> SYSTEM has FULL CONTROL for 'C:\Windows\Temp'. Created directories in
>>>>> this
>>>>> directory by SYSTEM inherit FULL CONTROL from the parent. But if I
>>>>> check the
>>>>> temporary directory '.\postgresql_installer_ca555e4059' I see that the
>>>>> inheritance is disabled for this particular directory. Only the
>>>>> principal
>>>>> named <DOMAIN>/<COMPUTERNAME>$ has FULL CONTROL not SYSTEM.
>>>>>
>>>>> Sure, once I receive the logs I may ask you to get the ACLs for some
>>>> directories which will give us more clues.
>>>>
>>>>
>>>>> The same issue is also true for PostgreSQL 12.2. The last time this
>>>>> procedure worked that I know is with the installer for PostgreSQL
>>>>> 9.6.12.
>>>>>
>>>>> Kind regards
>>>>>
>>>>>
>>>>
>>>> Am Mo., 6. Apr. 2020 um 14:27 Uhr schrieb Sandeep Thakkar <
>>>> sandeep(dot)thakkar(at)enterprisedb(dot)com>:
>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Apr 3, 2020 at 7:47 PM PG Bug reporting form <
>>>>> noreply(at)postgresql(dot)org> wrote:
>>>>>
>>>>>> The following bug has been logged on the website:
>>>>>>
>>>>>> Bug reference: 16341
>>>>>> Logged by: Enrico La Torre
>>>>>> Email address: pg(dot)dba(dot)iit(dot)team(at)gmail(dot)com
>>>>>> PostgreSQL version: 9.6.17
>>>>>> Operating system: Windows Server 2016
>>>>>> Description:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> it could be that the same bug was reported in
>>>>>>
>>>>>> https://www.postgresql.org/message-id/16001-fa33ba75a039fc7d%40postgresql.org
>>>>>> , but nobody answered until today.
>>>>>>
>>>>>> It is impossible for me to install PostgreSQL 9.6.17 with the
>>>>>> EnterpriseDB
>>>>>> installer (free Community Edition) on Windows Server 2016 in the
>>>>>> security
>>>>>> context of NT AUTHORITY\SYSTEM.
>>>>>
>>>>>
>>>>> Can you elaborate this please?
>>>>>
>>>>>
>>>>>> If I start the installer with a regular
>>>>>> domain admin account, which is also local administrator, the installer
>>>>>> starts.
>>>>>>
>>>>>> OK
>>>>>
>>>>>
>>>>>> I receive the error message:
>>>>>> "Error running icacls
>>>>>> "C:\Windows\Temp/postgresql_installer_ca555e4059" /T
>>>>>> /Q /grant "<DOMAIN>/<COMPUTERNAME>$:(OI)(CI)F":
>>>>>> C:\Windows\Temp/postgresql_installer_ca555e4059\*: Access is denied"
>>>>>>
>>>>>> I disclaimed The log file of the installer
>>>>>> 'C:\Windows\Temp\install-postgresql.log' is never written.
>>>>>>
>>>>>> There must be files starting with bitrock*
>>>>>
>>>>>
>>>>>> SYSTEM has FULL CONTROL for 'C:\Windows\Temp'. Created directories in
>>>>>> this
>>>>>> directory by SYSTEM inherit FULL CONTROL from the parent. But if I
>>>>>> check the
>>>>>> temporary directory '.\postgresql_installer_ca555e4059' I see that the
>>>>>> inheritance is disabled for this particular directory. Only the
>>>>>> principal
>>>>>> named <DOMAIN>/<COMPUTERNAME>$ has FULL CONTROL not SYSTEM.
>>>>>>
>>>>>> Sure, once I receive the logs I may ask you to get the ACLs for some
>>>>> directories which will give us more clues.
>>>>>
>>>>>
>>>>>> The same issue is also true for PostgreSQL 12.2. The last time this
>>>>>> procedure worked that I know is with the installer for PostgreSQL
>>>>>> 9.6.12.
>>>>>>
>>>>>> Kind regards
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Sandeep Thakkar
>>>>>
>>>>>
>>>>>
>>>
>>> --
>>> Fahar Abbas
>>> QMG
>>> EnterpriseDB Corporation
>>> Phone Office: +92-51-835-8874
>>> Phone Direct: +92-51-8466803
>>> Mobile: +92-333-5409707
>>> Skype ID: *live:fahar.abbas*
>>> Website: www.enterprisedb.com
>>>
>>
>>
>> --
>> Sandeep Thakkar
>>
>>
>>

--
Sandeep Thakkar