Re: [HACKERS] Supporting huge pages on Windows - Mailing list pgsql-hackers

From Magnus Hagander
Subject Re: [HACKERS] Supporting huge pages on Windows
Date
Msg-id CABUevEw09Jyh3Fz+c84=AK7C7j_RphBAO-=_J4e1OkKiWR4f4A@mail.gmail.com
Whole thread Raw
In response to Re: Supporting huge pages on Windows  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: [HACKERS] Supporting huge pages on Windows
Re: [HACKERS] Supporting huge pages on Windows
List pgsql-hackers
On Wed, Apr 5, 2017 at 9:15 AM, Tsunakawa, Takayuki <tsunakawa.takay@jp.fujitsu.com> wrote:
From: pgsql-hackers-owner@postgresql.org
> [mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of Andres Freund
> As I asked before, why can't we delete all privs and add the explicitly
> needed once back (using AdjustTokenPrivileges)?

I tried it with pg_ctl.c attached to an earlier mail today, i.e. delete all privs with CreateRestrictedToken(DISABLE_ALL_PRIVILEGE) and enable Lock Pages in Memory with AdjustTokenPrivileges().  But it didn't work; AdjustTokenPrivileges() failed to enable the priv.  It's probably that CreateRestrictedToken() deletes (unassigns?) the privs from the access token, so subsequent AdjustTokenPrivileges() can no longer enable the priv.


Once you have used CreateRestrictedToken(), you can no longer add *anything* to it. It's not just removed privileges, there's a special flag on the token that says it's restricted (can be checked with IsTokenRestricted()).

I think what you'd need to do is enumerate what privileges the user has *before* calling CreateRestrictedToken(), using GetTokenInformation(). And then pass those into PrivilegesToDelete (except for SeChangeNotifyPrivilege) in the call to CreateRestrictedToken(), instead of using DISABLE_MAX_PRIVILEGE. (and add the privilege needed for huge pages before you start that whole process -- that needs to be added in the token used *before* we create the restricted one).

At least that's my guess from reading the docs and trying to remember :)

--

pgsql-hackers by date:

Previous
From: Álvaro Hernández Tortosa
Date:
Subject: Re: [HACKERS] SCRAM authentication, take three
Next
From: Heikki Linnakangas
Date:
Subject: Re: [HACKERS] Implementation of SASLprep for SCRAM-SHA-256