Re: Fix for initdb failures on Vista - Mailing list pgsql-patches

From Magnus Hagander
Subject Re: Fix for initdb failures on Vista
Date
Msg-id 20080227123330.GB10209@svr2.hagander.net
Whole thread Raw
In response to Fix for initdb failures on Vista  ("Dave Page" <dpage@pgadmin.org>)
Responses Re: Fix for initdb failures on Vista  (Andrew Dunstan <andrew@dunslane.net>)
List pgsql-patches
On Thu, Feb 21, 2008 at 03:02:07PM +0000, Dave Page wrote:
> The attached patch fixes problems reported primarily on Vista, but
> also on some Windows 2003 and XP installations in which initdb reports
> that it cannot find postgres.exe.
>
> This occurs because of security-related changes implemented in Windows
> Vista and recent patches on older OS's. When running initdb or pg_ctl
> we currently create a restricted security token with the
> Administrators and Power Users groups (and thus their privileges)
> removed and re-execute the same program using the restricted token.
> This ensures that the process is run without potentially dangerous
> privileges no matter what user account it was started from. On Vista
> and friends however, the default DACL (list of Access Control Entries)
> used in the restricted token contains Administrators (the group) &
> System when we run as Administrator, vs. User + System when run as
> other users. Because we then drop Administrators, we are left with
> only the System ACE in the DACL, which does not allow us to use
> CreatePipe()/CreateProcess().
>
> To fix this, when we create the restricted process, we initially start
> it in suspended mode. We modify it's DACL to explicitly add an ACE for
> the current user, and then resume the child process. This remains
> secure because administrative privileges are granted to the groups
> that we've dropped, not the user itself.
>
> I've tested on Vista and XP, but additional testing would be useful
> (Andrew, Magnus?). Please apply to head, 8.3 and 8.2

Other than Heikkis comments:

We obviously need to test-build on mingw, so if someone can do that, pleae
do. If not, I'll try to get my VM up and running on it (since mingw doesn't
work on my win64 box).

I'm also a bit concerned that there is a whole lot of failure cases in
AddUserToDacl() that all return the same, thus making it impossible to
track down a problem in this code. Given that it's fairly complex
interactions with the API, I think we'll want to add actual error messages
to the individual failure cases. Thoughts?

//Magnus

pgsql-patches by date:

Previous
From: Euler Taveira de Oliveira
Date:
Subject: Re: lc_time and localized dates
Next
From: Andrew Dunstan
Date:
Subject: Re: Fix for initdb failures on Vista