Home > mailing lists

Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled - Mailing list pgsql-bugs

From	Michael Paquier
Subject	Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled
Date	November 5, 2015 18:39:16
Msg-id	CAB7nPqQG_BL6Ct=DRgn5=REODErXwosRAGk6B6BemGWJFjeoow@mail.gmail.com Whole thread Raw
In response to	BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled (breen@rtda.com)
Responses	Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled
List	pgsql-bugs

Tree view

On Wed, Nov 4, 2015 at 3:23 PM,  <breen@rtda.com> wrote:
> Short version: pgwin32_is_service checks the process token for
> SECURITY_SERVICE_RID by doing an EqualSid check.  This will match against a
> SECURITY_SERVICE_RID that has been disabled ("use_for_deny_only"), causing
> PG to think it's a service when it is not.  This causes it to attempt to log
> to the event log, but this doesn't work, and so there is no logging at all.

OK. So if I am following correctly... If Postgres process uses a
SECURITY_SERVICE_RID SID that has SE_GROUP_USE_FOR_DENY_ONLY enabled
it will try to access to the event logs but will be denied as all
accesses are denied with this attribute, right?

What do you think about the patch attached then?
--
Michael

Attachment

20151105_windows_sid_deny.patch

pgsql-bugs by date:

From: Joe Conway
Date: 04 November 2015, 22:16:49
Subject: Re: Version 9.4 CREATE FUNCTION - ERROR: type xxxx does not exist create function

From: Breen Hagan
Date: 05 November 2015, 19:15:38
Subject: Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled

Re: BUG #13755: pgwin32_is_service not checking if SECURITY_SERVICE_SID is disabled - Mailing list pgsql-bugs

Attachment

Previous

Next