Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled

From: Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
To: MauMau <maumau307(at)gmail(dot)com>
Cc: Breen Hagan <breen(at)rtda(dot)com>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled
Date: 2016-11-06 12:12:24
Message-ID: CAB7nPqTRtATjX5JwYwE41X4TzzVLnykmXiTxNsn3wziMHp43Hg@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs pgsql-hackers

On Sun, Nov 6, 2016 at 6:30 PM, MauMau <maumau307(at)gmail(dot)com> wrote:
> Sorry, I may have had to send this to pgsql-hackers. I just replied
> to all, which did not include pgsql-hackers but pgsql-bugs because
> this discussion was on pgsql-bugs. CommitFest app doesn't seem to
> reflect the mails on pgsql-bugs, so I'm re-submitting this here on
> pgsql-hackers.

No problem, I still see a unique thread so that's not an issue seen from here.

> I reviewed and tested this patch after simplifying it like the
> attached one. The file could be reduced by about 110 lines. Please
> review and/or test it. Though I kept the status "ready for
> committer", feel free to change it back based on the result.

So you see the same behavior with the patch I sent and your
refactoring, right? If yes, backpatching the one-liner is the safest
bet to me. We could keep the refactoring for HEAD if it makes sense.

Something is wrong with the format of your patch by the way. My
Windows and even OSX environments recognize it as a binary file,
though I can read it in any editor and I cannot apply it cleanly with
a simple patch command. Could you send it again and double-check?

> To reproduce the OP's problem, I modified pg_ctl.c to disable
> SECURITY_SERVICE_RID when spawning postgres.exe.

So basically you allocated a SID to drop via AllocateAndInitializeSid,
called _CreateRestrictedToken and let the process being spawned? I
think that this is the patch attached
(win32-disable-service-rid.patch). Could you confirm? I want to be
sure that we are testing the same things.
--
Michael

Attachment Content-Type Size
win32-disable-service-rid.patch text/x-patch 1.3 KB

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Tom Lane 2016-11-06 17:12:40 Re: BUG #14414: SPI_ERROR_CONNECT on stable plpgsql function used for domain check
Previous Message MauMau 2016-11-06 09:30:41 Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled

Browse pgsql-hackers by date

  From Date Subject
Next Message Artur Zakirov 2016-11-06 15:26:57 Re: Bug in to_timestamp().
Previous Message MauMau 2016-11-06 09:30:41 Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled