On 5 April 2017 at 10:37, Tsunakawa, Takayuki
<tsunakawa.takay@jp.fujitsu.com> wrote:
> Good point! And I said earlier in this thread, I think managing privileges (adding/revoking privileges from the user
account)is the DBA's or sysadmin's duty, and PG's removing all privileges feels overkill.
I think it's a sensible alternative to refusing to run as a highly
privileged role, which is what we used to do IIRC.
> OTOH, I tried again to leave the DISABLE_MAX_PRIVILEGE as is and add Lock Pages in Memory, using the attached
pg_ctl.c. Please see EnableLockPagesPrivilege() and its call site. But pg_ctl -w start fails emitting the following
message:
That won't work. You'd have to pass 0 to the flags of
CreateRestrictedToken and instead supply a PrivilegesToDelete array.
You'd probably GetTokenInformation and AND with a mask of ones you
wanted to retain.
-- Craig Ringer http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Remote DBA, Training
&Services