From: Craig Ringer [mailto:craig.ringer@2ndquadrant.com]
> TBH, anyone who cares about security and runs Win7 or Win2k8 or newer should
> be using virtual service accounts and managed service accounts.
>
> https://technet.microsoft.com/en-us/library/dd548356
>
>
> Those are more like Unix service accounts. Notably they don't need a password,
> getting rid of some of the management pain that led us to abandon the
> 'postgres' system user on Windows.
>
> Now that older platforms are EoL and even the oldest that added this feature
> are also near EoL or in extended maintenance, I think installers should
> switch to these by default instead of using NETWORK SERVICE.
>
> Then the issue of priv dropping would be a lesser concern anyway.
Good point! And I said earlier in this thread, I think managing privileges (adding/revoking privileges from the user
account)is the DBA's or sysadmin's duty, and PG's removing all privileges feels overkill.
OTOH, I tried again to leave the DISABLE_MAX_PRIVILEGE as is and add Lock Pages in Memory, using the attached pg_ctl.c.
Please see EnableLockPagesPrivilege() and its call site. But pg_ctl -w start fails emitting the following message:
error code 1300
waiting for server to start....FATAL: could not enable "Lock pages in memory" privilege
HINT: Assign "Lock pages in memory" privilege to the Windows user account which runs PostgreSQL.
LOG: database system is shut down
stopped waiting
pg_ctl: could not start server
Examine the log output.
error code 1300 is ERROR_NOT_ALL_ASSIGNED, which means AdjustTokenPrivileges() cound not enable Lock Pages in Memory
privilege. It seems that the privilege cannot be enabled once it was removed with
CreateRestrictedToken(DISABLE_MAX_PRIVILEGE).
Regards
Takayuki Tsunakawa
