Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled - Mailing list pgsql-bugs

From Heikki Linnakangas
Subject Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled
Date
Msg-id 64a0ee81-2e30-c9b1-97b6-312772f89a2e@iki.fi
Whole thread Raw
In response to Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled  (Michael Paquier <michael.paquier@gmail.com>)
Responses Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled
List pgsql-bugs
On 04/08/2016 09:48 AM, Michael Paquier wrote:
> So I have been looking at this issue again and finished with the patch
> attached. I think that it makes the most sense to browse the whole
> list of groups, and choose if Postgres is running as a service if
> service SID matches with one of the group SIDs listed, on top of which
> this group SID should be enabled via SE_GROUP_ENABLED. Checking for
> SE_GROUP_USE_FOR_DENY_ONLY would not make much sense, because it would
> mean that SE_GROUP_ENABLED is not set, and that's what we are
> interested in. That was in short the point of Breen, and it looks to
> be the saner way to go.

Yeah, seems like the right way. pgwin32_is_admin() also checks for
SE_GROUP_ENABLED.

I think this is ready to be committed, except that I don't have an easy
way to reproduce the original problem to test this. I suppose I could
write a test program to call CreateRestrictedToken() and
CreateProcessAsUser(), but would rather avoid the work. Breen, if I push
a fix for this, can you build from sources and verify that it fixes your
original problem? Or alternatively, can you provide a test program that
I can use to verify it?

- Heikki

pgsql-bugs by date:

Previous
From: Heikki Linnakangas
Date:
Subject: Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection
Next
From: brodgers3@oreillyauto.com
Date:
Subject: BUG #14333: Remote connections for members of role in pg_hba.conf