dropping privileges on windows vs privileged accounts

From: Andres Freund <andres(at)anarazel(dot)de>
To: pgsql-hackers(at)postgresql(dot)org, Dave Page <dpage(at)pgadmin(dot)org>, Alexander Lakhin <exclusion(at)gmail(dot)com>
Subject: dropping privileges on windows vs privileged accounts
Date: 2024-07-07 06:40:46
Message-ID: 20240707064046.blgjxoqiywunbebl@awork3.anarazel.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi,

While working to address some of Dave's concerns at [1], I encountered the odd
issue of tests failing because postmaster not being allowed to open
pg_control. This did not happen for all tests, but for a lot of tests.

For example, the only output in
pg_upgrade/003_logical_slots/log/003_logical_slots_oldpub.log would be

2024-07-06 00:31:58.293 UTC [4432] PANIC: could not open file "global/pg_control": Permission denied

For some other tests it was pg_regress --config-auth that couldn't open
pg_hba.conf for writing.

I spent an embarassingly large amount of time debugging this. Unfortuntely I
couldn't reproduce this locally, just in Dave's github-actions environment.

After going down *many* rabbitholes, I figured out that this is due to a
poorly documented peculiarity of windows file-ownership logic - which
apparently is only active when "UAC" is disabled - which is the case for the
images github actions [2].

From what I gather from old documentation [3], when a highly privileged user
creates a directory/file with UAC disabled, the newly created object is *not*
owned by the user, but magically owned by the "Administrators" group.

Normally that's kinda fine, the user presumably continues to be a member of
the admin group and can access the file that way. However, this blows up when
combined with pg_ctl dropping privileges - after the privileges are dropped,
the user is *not* considered a member of the administrators group anymore.
And boom, postmaster can't write to pg_control in some circumstances.

What made this nastier is that this only applied to *some* tests, not
all. Sometimes it works, because the database is created via initdb, which
does also drop privileges (albeit slightly differently). However, that
doesn't get us very far:
1) initdb template gets copied (we could fix this by adding /sec to robocopy)
2) pg_basebackup doesn't do the get_restricted_token() dance (we could add that)
3) there are quite a few other sources of data directories being copied,
e.g. Cluster.pm's init_from_backup()

Once one knows what the issue is, it's not too hard to work around - adding an
inheritable ACL explicitly granting the user permissions works. E.g. with
icacls.exe . /inheritance:e /grant 'runneradmin:(OI)(CI)F';
(with the current user being runneradmin)

That way the current user has access, even if not considered a domain admin
anymore.

The only other postgres person that referenced this issue is Alexander Lakhin,
at [4].

This email is partially just so I have something to find if I ever
re-encounter this issue. I intend to forget this ASAP.

Greetings,

Andres Freund

[1] https://www.postgresql.org/message-id/CA%2BOCxowQhMHFNRLTsXNuJpC96KRtSPHYKJuOS%3Db-Zrwmy-P4-g%40mail.gmail.com
[2] https://github.com/actions/runner-images/blob/ca499b86975e62edd4a0ac336de94af096635838/images/windows/scripts/build/Configure-BaseImage.ps1#L28-L31
[3] https://community.netapp.com/t5/AFF/Owner-on-newly-created-files-and-folders-default-to-built-in-Administrators/td-p/146645
[4] https://www.postgresql.org/message-id/3f72f608-88ab-bd43-b7de-685c26e69421%40gmail.com

Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2024-07-07 07:02:43 010_pg_basebackup.pl vs multiple filesystems
Previous Message Konstantin Knizhnik 2024-07-07 06:32:34 Re: 回复: An implementation of multi-key sort