Thread: permission issues with PostgreSQL 9.2 EnterpriseDB one-click installer on windows 7 causes initcluster to fail
permission issues with PostgreSQL 9.2 EnterpriseDB one-click installer on windows 7 causes initcluster to fail
From
david fleischhauer
Date:
I have noted two bugs dealing with permissions with the EnterpriseDB one-click installer. Both are similar cases: 1. Permissions are not given to the PostgreSQL bin directory. If I try to install postgres on a drive with limited permissions (for my test, only the 'Administrators' group had permissions), I get an error saying "libintl-8.dll" is missing. That file is located in the postgres bin directory. The issue is that your initcluster.vbs script only gives permissions for the data directory and the parent directories of the data directory. In order for postgres to install correctly, permissions need to be added for the bin directory. 2. Permissions are not properly given to the PostgreSQL data directory's root drive in PostgreSQL version 9.2.5 and up. In PostgreSQL 9.2.4 there is a comment in the initcluster.vbs script saying: ' Drive letter must not be surrounded by double-quotes and ends with slash (\) ' "icacls" fails on the drives with (NP) flag In version 9.2.5, the initcluster.vbs script has been changed and the above corner case is not taken care of. Again, to reproduce this issue, I set the E drive of my machine to only give permissions to the 'Administrators' group and my E drive was completely empty. I also had to fixed issue #1 to get this issue to pop up. The error I am getting from the logfile is: The database cluster will be initialized with locale "English_United States.1252". The default text search configuration will be set to "english". fixing permissions on existing directory E:/dir/data ... ok creating subdirectories ... initdb: could not create directory "E:/dir": File exists initdb: removing contents of data directory "E:/dir/data" Called Die(Failed to initialise the database cluster with initdb)... Failed to initialise the database cluster with initdb Here are the slight differences between the icacls command to grant permissions to the root drive in 9.2.4 and 9.2.5: 9.2.4: icacls E:\ /grant ... 9.2.5: icacls "E:" /grant ... As your comment shows, having quotes around 'E:' and also not including the slash will cause an issue, both of which are not taken care of in the 9.2.5 icacls command. Hopefully I have clearly stated the issues. If these issues have not been reported and there are any issues understanding what I wrote, feel free to reply to this email. thanks, David
Re: permission issues with PostgreSQL 9.2 EnterpriseDB one-click installer on windows 7 causes initcluster to fail
From
Sandeep Thakkar
Date:
Hi David Thanks for checking and reporting this. Before we proceed, we would like some more information. Please see the comments inline. On Fri, Dec 13, 2013 at 11:00 PM, david fleischhauer <dgfleisch@gmail.com>wrote: > I have noted two bugs dealing with permissions with the EnterpriseDB > one-click installer. Both are similar cases: > > > 1. Permissions are not given to the PostgreSQL bin directory. If I try > to install postgres on a drive with limited permissions (for my test, only > the 'Administrators' group had permissions), I get an error saying > "libintl-8.dll" is missing. That file is located in the postgres bin > directory. The issue is that your initcluster.vbs script only gives > permissions for the data directory and the parent directories of the data > directory. In order for postgres to install correctly, permissions need to > be added for the bin directory. > initcluster.vbs is supposed to deal only with the cluster directory and it's permissions. Could you list the ACL on the E:\ drive please? Command line output will do. (icacls E:\) > > > 2. Permissions are not properly given to the PostgreSQL data directory's > root drive in PostgreSQL version 9.2.5 and up. In PostgreSQL 9.2.4 there > is a comment in the initcluster.vbs script saying: > Yes, In 9.2.5, initcluster script has undergone some changes because lot of people did not want the initcluster to change the permissions on the complete parent path of the data directory as icacls would take a lot of time to do this if that path contains huge number of files. Hence, from 9.2.5, by default the initcluster will change the permissions of just the 'data' directory. If user wants the ACL to be edited on the complete path, then he can do it with a new command line option "--enable_acledit 1". > > > ' Drive letter must not be surrounded by double-quotes and ends with > slash (\) > ' "icacls" fails on the drives with (NP) flag > > In version 9.2.5, the initcluster.vbs script has been changed and the > above corner case is not taken care of. Again, to reproduce this issue, I > set the E drive of my machine to only give permissions to the > 'Administrators' group and my E drive was completely empty. I also had to > fixed issue #1 to get this issue to pop up. The error I am getting from > the logfile is: > > The database cluster will be initialized with locale "English_United > States.1252". > The default text search configuration will be set to "english". > > fixing permissions on existing directory E:/dir/data ... ok > creating subdirectories ... initdb: could not create directory > "E:/dir": File exists > initdb: removing contents of data directory "E:/dir/data" > > Called Die(Failed to initialise the database cluster with initdb)... > Failed to initialise the database cluster with initdb > > Here are the slight differences between the icacls command to grant > permissions to the root drive in 9.2.4 and 9.2.5: > > 9.2.4: icacls E:\ /grant ... > 9.2.5: icacls "E:" /grant ... > > As your comment shows, having quotes around 'E:' and also not including > the slash will cause an issue, both of which are not taken care of in the > 9.2.5 icacls command. > Sure. Will look into this. You ran into this issue during the installation? Or when you run the initcluster script manually? > > Hopefully I have clearly stated the issues. If these issues have not been > reported and there are any issues understanding what I wrote, feel free to > reply to this email. > > thanks, > David > -- Sandeep Thakkar
Re: permission issues with PostgreSQL 9.2 EnterpriseDB one-click installer on windows 7 causes initcluster to fail
From
David Fleischhauer
Date:
I have added my comments inline as well: On Mon, Dec 16, 2013 at 1:35 AM, Sandeep Thakkar < sandeep.thakkar@enterprisedb.com> wrote: > Hi David > > Thanks for checking and reporting this. Before we proceed, we would like > some more information. Please see the comments inline. > > > On Fri, Dec 13, 2013 at 11:00 PM, david fleischhauer <dgfleisch@gmail.com>wrote: > >> I have noted two bugs dealing with permissions with the EnterpriseDB >> one-click installer. Both are similar cases: >> > >> 1. Permissions are not given to the PostgreSQL bin directory. If I try >> to install postgres on a drive with limited permissions (for my test, only >> the 'Administrators' group had permissions), I get an error saying >> "libintl-8.dll" is missing. That file is located in the postgres bin >> directory. The issue is that your initcluster.vbs script only gives >> permissions for the data directory and the parent directories of the data >> directory. In order for postgres to install correctly, permissions need to >> be added for the bin directory. >> > > initcluster.vbs is supposed to deal only with the cluster directory and > it's permissions. Could you list the ACL on the E:\ drive please? Command > line output will do. (icacls E:\) > E:\>icacls E:\ E:\ BUILTIN\Administrators:(OI)(CI)(F) Successfully processed 1 files; Failed processing 0 files I understand your reasoning that initcluster.vbs should only deal with permissions related to the data directory, but in order to create the data cluster, you need to run initdb which is in the bin directory. I am assuming my issue is related to the initdb command using dll libraries in the bin directory that it cannot find because the current logged in user does not have read rights to the bin directory. Giving read rights to the bin directory before running initcluster.vbs fixes my issue. This issue affects the default GUI installer too. The GUI installer never sets permissions for the bin directory. One thing to note, all of my testing has been done with a data directory that is not a sibling of the bin directory. I do not think this is necessary to reproduce the problem but I have done that to ensure the icacls commands on the data directory does not interfere with the permissions of the bin directory and mask the problem somehow. > >> > >> 2. Permissions are not properly given to the PostgreSQL data directory's >> root drive in PostgreSQL version 9.2.5 and up. In PostgreSQL 9.2.4 there >> is a comment in the initcluster.vbs script saying: >> > > Yes, In 9.2.5, initcluster script has undergone some changes because lot > of people did not want the initcluster to change the permissions on the > complete parent path of the data directory as icacls would take a lot of > time to do this if that path contains huge number of files. Hence, from > 9.2.5, by default the initcluster will change the permissions of just the > 'data' directory. If user wants the ACL to be edited on the complete path, > then he can do it with a new command line option "--enable_acledit 1". > Yeah, the new flag is a good idea and changing the script is ok, its just when it was changed, a really weird corner case that was explicitly handled before is no longer being handled. > >> > >> ' Drive letter must not be surrounded by double-quotes and ends with >> slash (\) >> ' "icacls" fails on the drives with (NP) flag >> >> In version 9.2.5, the initcluster.vbs script has been changed and the >> above corner case is not taken care of. Again, to reproduce this issue, I >> set the E drive of my machine to only give permissions to the >> 'Administrators' group and my E drive was completely empty. I also had to >> fixed issue #1 to get this issue to pop up. The error I am getting from >> the logfile is: >> >> The database cluster will be initialized with locale "English_United >> States.1252". >> The default text search configuration will be set to "english". >> >> fixing permissions on existing directory E:/dir/data ... ok >> creating subdirectories ... initdb: could not create directory >> "E:/dir": File exists >> initdb: removing contents of data directory "E:/dir/data" >> >> Called Die(Failed to initialise the database cluster with initdb)... >> Failed to initialise the database cluster with initdb >> >> Here are the slight differences between the icacls command to grant >> permissions to the root drive in 9.2.4 and 9.2.5: >> >> 9.2.4: icacls E:\ /grant ... >> 9.2.5: icacls "E:" /grant ... >> >> As your comment shows, having quotes around 'E:' and also not including >> the slash will cause an issue, both of which are not taken care of in the >> 9.2.5 icacls command. >> > > Sure. Will look into this. You ran into this issue during the > installation? Or when you run the initcluster script manually? > > I can reproduce this issue both ways. If you run the GUI installer with the E: drive completely empty and with the administrators group as the only group with permissions as I have given in the 'icacls E:\' command, you will first run into issue #1. To get issue #2, what I have done is explicitly create the postgres install directory if it does not exist and set read and write permissions on the directory. I do this before running the installer. I can run the same exact icacls command initcluster.vbs runs, and it passes with flying colors (for both 9.2.4 and 9.2.5). I even have saved off the radxxxx.bat file and have run that and it still passes with flying colors. The issue crops up when running the batch file within vb. Oddly enough, if I run the vb script a second time (not through the installer), it will give the correct permissions. So I think there is a bug in vb that initcluster.vbs is exploiting with the 'icacls "E:" ...' command. I have created a vb script that only has the doCmd(...) method in it and I pass in my own icacls command and I still get this issue. > >> Hopefully I have clearly stated the issues. If these issues have not >> been reported and there are any issues understanding what I wrote, feel >> free to reply to this email. >> >> thanks, >> David >> > > > > -- > Sandeep Thakkar > >
Re: permission issues with PostgreSQL 9.2 EnterpriseDB one-click installer on windows 7 causes initcluster to fail
From
Sandeep Thakkar
Date:
On Mon, Dec 16, 2013 at 9:26 PM, David Fleischhauer <dgfleisch@gmail.com>wrote: > I have added my comments inline as well: > > > On Mon, Dec 16, 2013 at 1:35 AM, Sandeep Thakkar < > sandeep.thakkar@enterprisedb.com> wrote: > >> Hi David >> >> Thanks for checking and reporting this. Before we proceed, we would like >> some more information. Please see the comments inline. >> >> >> On Fri, Dec 13, 2013 at 11:00 PM, david fleischhauer <dgfleisch@gmail.com >> > wrote: >> >>> I have noted two bugs dealing with permissions with the EnterpriseDB >>> one-click installer. Both are similar cases: >>> >> >>> 1. Permissions are not given to the PostgreSQL bin directory. If I try >>> to install postgres on a drive with limited permissions (for my test, only >>> the 'Administrators' group had permissions), I get an error saying >>> "libintl-8.dll" is missing. That file is located in the postgres bin >>> directory. The issue is that your initcluster.vbs script only gives >>> permissions for the data directory and the parent directories of the data >>> directory. In order for postgres to install correctly, permissions need to >>> be added for the bin directory. >>> >> >> initcluster.vbs is supposed to deal only with the cluster directory and >> it's permissions. Could you list the ACL on the E:\ drive please? Command >> line output will do. (icacls E:\) >> > > E:\>icacls E:\ > E:\ BUILTIN\Administrators:(OI)(CI)(F) > > Successfully processed 1 files; Failed processing 0 files > > I understand your reasoning that initcluster.vbs should only deal with > permissions related to the data directory, but in order to create the data > cluster, you need to run initdb which is in the bin directory. I am > assuming my issue is related to the initdb command using dll libraries in > the bin directory that it cannot find because the current logged in user > does not have read rights to the bin directory. Giving read rights to the > bin directory before running initcluster.vbs fixes my issue. This issue > affects the default GUI installer too. The GUI installer never sets > permissions for the bin directory. One thing to note, all of my testing > has been done with a data directory that is not a sibling of the bin > directory. I do not think this is necessary to reproduce the problem but I > have done that to ensure the icacls commands on the data directory does not > interfere with the permissions of the bin directory and mask the problem > somehow. > >> >>> >> You mean your installation location and the data directory location was on different drives? Or just the different paths in E:\? > >>> 2. Permissions are not properly given to the PostgreSQL data >>> directory's root drive in PostgreSQL version 9.2.5 and up. In PostgreSQL >>> 9.2.4 there is a comment in the initcluster.vbs script saying: >>> >> >> Yes, In 9.2.5, initcluster script has undergone some changes because lot >> of people did not want the initcluster to change the permissions on the >> complete parent path of the data directory as icacls would take a lot of >> time to do this if that path contains huge number of files. Hence, from >> 9.2.5, by default the initcluster will change the permissions of just the >> 'data' directory. If user wants the ACL to be edited on the complete path, >> then he can do it with a new command line option "--enable_acledit 1". >> > > Yeah, the new flag is a good idea and changing the script is ok, its just > when it was changed, a really weird corner case that was explicitly handled > before is no longer being handled. > I executed the following command: icacls "E:" /grant "NT AUTHORITY\NetworkService":(NP)(RX) and this command worked fine. I used the double quotes around the drive and it does not end with slash. So, my guess is that the comment in the script is not relevant anymore? and the issue#2 also appears because of the permissions? > > >>> >> >>> ' Drive letter must not be surrounded by double-quotes and ends with >>> slash (\) >>> ' "icacls" fails on the drives with (NP) flag >>> >>> In version 9.2.5, the initcluster.vbs script has been changed and the >>> above corner case is not taken care of. Again, to reproduce this issue, I >>> set the E drive of my machine to only give permissions to the >>> 'Administrators' group and my E drive was completely empty. I also had to >>> fixed issue #1 to get this issue to pop up. The error I am getting from >>> the logfile is: >>> >>> The database cluster will be initialized with locale "English_United >>> States.1252". >>> The default text search configuration will be set to "english". >>> >>> fixing permissions on existing directory E:/dir/data ... ok >>> creating subdirectories ... initdb: could not create directory >>> "E:/dir": File exists >>> initdb: removing contents of data directory "E:/dir/data" >>> >>> Called Die(Failed to initialise the database cluster with initdb)... >>> Failed to initialise the database cluster with initdb >>> >>> Here are the slight differences between the icacls command to grant >>> permissions to the root drive in 9.2.4 and 9.2.5: >>> >>> 9.2.4: icacls E:\ /grant ... >>> 9.2.5: icacls "E:" /grant ... >>> >>> As your comment shows, having quotes around 'E:' and also not including >>> the slash will cause an issue, both of which are not taken care of in the >>> 9.2.5 icacls command. >>> >> >> Sure. Will look into this. You ran into this issue during the >> installation? Or when you run the initcluster script manually? >> >> > I can reproduce this issue both ways. If you run the GUI installer with > the E: drive completely empty and with the administrators group as the only > group with permissions as I have given in the 'icacls E:\' command, you > will first run into issue #1. To get issue #2, what I have done is > explicitly create the postgres install directory if it does not exist and > set read and write permissions on the directory. I do this before running > the installer. > > I can run the same exact icacls command initcluster.vbs runs, and it > passes with flying colors (for both 9.2.4 and 9.2.5). I even have saved > off the radxxxx.bat file and have run that and it still passes with flying > colors. The issue crops up when running the batch file within vb. Oddly > enough, if I run the vb script a second time (not through the installer), > it will give the correct permissions. So I think there is a bug in vb that > initcluster.vbs is exploiting with the 'icacls "E:" ...' command. I have > created a vb script that only has the doCmd(...) method in it and I pass in > my own icacls command and I still get this issue. > >> >>> Hopefully I have clearly stated the issues. If these issues have not >>> been reported and there are any issues understanding what I wrote, feel >>> free to reply to this email. >>> >>> thanks, >>> David >>> >> >> >> >> -- >> Sandeep Thakkar >> >> > -- Sandeep Thakkar
Re: permission issues with PostgreSQL 9.2 EnterpriseDB one-click installer on windows 7 causes initcluster to fail
From
David Fleischhauer
Date:
On Wed, Dec 18, 2013 at 2:58 AM, Sandeep Thakkar < sandeep.thakkar@enterprisedb.com> wrote: > > > > On Mon, Dec 16, 2013 at 9:26 PM, David Fleischhauer <dgfleisch@gmail.com>wrote: > >> I have added my comments inline as well: >> >> >> On Mon, Dec 16, 2013 at 1:35 AM, Sandeep Thakkar < >> sandeep.thakkar@enterprisedb.com> wrote: >> >>> Hi David >>> >>> Thanks for checking and reporting this. Before we proceed, we would like >>> some more information. Please see the comments inline. >>> >>> >>> On Fri, Dec 13, 2013 at 11:00 PM, david fleischhauer < >>> dgfleisch@gmail.com> wrote: >>> >>>> I have noted two bugs dealing with permissions with the EnterpriseDB >>>> one-click installer. Both are similar cases: >>>> >>> >>>> 1. Permissions are not given to the PostgreSQL bin directory. If I >>>> try to install postgres on a drive with limited permissions (for my test, >>>> only the 'Administrators' group had permissions), I get an error saying >>>> "libintl-8.dll" is missing. That file is located in the postgres bin >>>> directory. The issue is that your initcluster.vbs script only gives >>>> permissions for the data directory and the parent directories of the data >>>> directory. In order for postgres to install correctly, permissions need to >>>> be added for the bin directory. >>>> >>> >>> initcluster.vbs is supposed to deal only with the cluster directory and >>> it's permissions. Could you list the ACL on the E:\ drive please? Command >>> line output will do. (icacls E:\) >>> >> >> E:\>icacls E:\ >> E:\ BUILTIN\Administrators:(OI)(CI)(F) >> >> Successfully processed 1 files; Failed processing 0 files >> >> I understand your reasoning that initcluster.vbs should only deal >> with permissions related to the data directory, but in order to create the >> data cluster, you need to run initdb which is in the bin directory. I am >> assuming my issue is related to the initdb command using dll libraries in >> the bin directory that it cannot find because the current logged in user >> does not have read rights to the bin directory. Giving read rights to the >> bin directory before running initcluster.vbs fixes my issue. This issue >> affects the default GUI installer too. The GUI installer never sets >> permissions for the bin directory. One thing to note, all of my testing >> has been done with a data directory that is not a sibling of the bin >> directory. I do not think this is necessary to reproduce the problem but I >> have done that to ensure the icacls commands on the data directory does not >> interfere with the permissions of the bin directory and mask the problem >> somehow. >> >>> >>>> >>> You mean your installation location and the data directory location was > on different drives? Or just the different paths in E:\? > They can be on different drive if you want them to be, or they can just be on different paths in the same directory. For instance: Postgres Bin Dir: E:\dir\PostgreSQL\9.2\bin Postgres Data Dir: E:\dir\data the point is to get a situation where initcluster.vbs does not give permissions to bin directory's parent (i.e. E:\dir\PostgreSQL\9.2). initcluster.vbs would only give permissions to that directory if the data dir is a sibling of the bin directory (i.e. E:\dir\PostgreSQL\9.2\data) Here is a list of steps to follow to recreate the issue: 1. Empty out your E:\ drive so that there is nothing left in it. 2. Right-click on the E:\ drive in an explorer window and click "Properties" 3. Click on the "Security" tab 4. Click "Edit..." 5. Click "Remove" for all "Group or User Names" except for "Administrators (<cpuname>\Administrators)". If Administrators is not listed,, add it. 6. Click "Apply" and close out of all windows 7. Double click on the postgres installer => postgresql-9.2.5-1-windows-x64.exe. Make sure the installer is version 9.2.5 or later 8. When prompted for the installation directory, type in: E:\dir\PostgreSQL\9.2\ 9. When prompted for the data directory, type in: E:\dir\data 10. Answer all the other questions. The installation should fail due to a libintl-8.dll file not being found (issue #1). The file should be located in the postgres bin directory 11. Uninstall PostgreSQL 9.2 12. Repeat steps 1-6 13. Run the following commands: mkdir "E:\dir\PostgreSQL\9.2\" icacls "E:\dir\PostgreSQL\9.2\" /grant "NT AUTHORITY\NetworkService":"(OI)(CI)RX" icacls "E:\dir\PostgreSQL\9.2\" /grant "<logged-in user>":"(OI)(CI)RX" 14. Repeat steps 7-10. The installation should fail again, but give you a different error (issue #2). 15. Repeat steps 2 and 3. You should only see "Administrators (<cpuname>\Administrators)" under "Group or User Names". Notice that no permissions were granted for the "NT AUTHORITY\NetworkService" or the logged in user. If you go to "E:\dir" and look at its security tab under properties, you will see the logged in user present under "Group or User Names", so the icacls command succeeded for "E:\dir". Now go into your temp directory and look at install-postgresql.log. You will see the following error: The database cluster will be initialized with locale "English_United States.1252". The default text search configuration will be set to "english". fixing permissions on existing directory E:/dir/data ... ok creating subdirectories ... initdb: could not create directory "E:/dir": File exists initdb: removing contents of data directory "E:/dir/data" Called Die(Failed to initialise the database cluster with initdb)... Failed to initialise the database cluster with initdb You will also see a little bit further up: Executing icacls to ensure the <logged-in user> account can read the path E: Executing batch file 'radAC52112.bat'... processed file: E: Successfully processed 1 files; Failed processing 0 files Which leads you to believe it correctly gave permissions to the E: drive, but as we confirmed earlier, it did not. If you follow these steps, hopefully you will be able to recreate my issues. > >>>> 2. Permissions are not properly given to the PostgreSQL data >>>> directory's root drive in PostgreSQL version 9.2.5 and up. In PostgreSQL >>>> 9.2.4 there is a comment in the initcluster.vbs script saying: >>>> >>> >>> Yes, In 9.2.5, initcluster script has undergone some changes because lot >>> of people did not want the initcluster to change the permissions on the >>> complete parent path of the data directory as icacls would take a lot of >>> time to do this if that path contains huge number of files. Hence, from >>> 9.2.5, by default the initcluster will change the permissions of just the >>> 'data' directory. If user wants the ACL to be edited on the complete path, >>> then he can do it with a new command line option "--enable_acledit 1". >>> >> >> Yeah, the new flag is a good idea and changing the script is ok, its just >> when it was changed, a really weird corner case that was explicitly handled >> before is no longer being handled. >> > > I executed the following command: > icacls "E:" /grant "NT AUTHORITY\NetworkService":(NP)(RX) > > and this command worked fine. I used the double quotes around the drive > and it does not end with slash. So, my guess is that the comment in the > script is not relevant anymore? and the issue#2 also appears because of the > permissions? > If you open up a cmd windows and type icacls "E:" /grant "NT AUTHORITY\NetworkService":(NP)(RX), it will pass and grant you the correct permissions. How to get the error is to remove all permissions from the drive except for the administrators group and run the DoCmd(strCmd) method in VB. Here is the method for reference: ' Execute a command Function DoCmd(strCmd) Dim objBatchFile Set objBatchFile = objTempFolder.CreateTextFile(strBatchFile, True) objBatchFile.WriteLine "@ECHO OFF" objBatchFile.WriteLine strCmd & " > """ & strOutputFile & """ 2>&1" objBatchFile.WriteLine "EXIT /B %ERRORLEVEL%" objBatchFile.Close WScript.Echo " Executing batch file '" & strBatchFile & "'..." DoCmd = objShell.Run(objTempFolder.Path & "\" & strBatchFile, 0, True) If objFso.FileExists(objTempFolder.Path & "\" & strBatchFile) = True Then objFso.DeleteFile objTempFolder.Path & "\" & strBatchFile, True Else WScript.Echo " Batch file '" & strBatchFile & "' does not exist..." End If If objFso.FileExists(strOutputFile) = True Then Dim objOutputFile Set objOutputFile = objFso.OpenTextFile(strOutputFile, ForReading) WScript.Echo " " & objOutputFile.ReadAll objOutputFile.Close objFso.DeleteFile strOutputFile, True Else WScript.Echo " Output file does not exists..." End If End Function It first creates a batch file and writes three lines to it: @echo off icacls ... EXIT /B %ERRORLEVEL% then it calls: DoCmd = objShell.Run(objTempFolder.Path & "\" & strBatchFile, 0, True) if you pass in 'icacls "E:" /grant "NT AUTHORITY\NetworkService":(NP)(RX)' to the DoCmd with an empty E:\ drive and the correct permissions, you will see that the icacls command is executed and outputs that the command passes. However, if you go back and look at the permissions on the E:\ drive, you will see that the permissions actually did not get set. I believe this is an issue with vb itself as the icacls command should not pass when it obviously is failing. >> >>>> >>> >>>> ' Drive letter must not be surrounded by double-quotes and ends >>>> with slash (\) >>>> ' "icacls" fails on the drives with (NP) flag >>>> >>>> In version 9.2.5, the initcluster.vbs script has been changed and the >>>> above corner case is not taken care of. Again, to reproduce this issue, I >>>> set the E drive of my machine to only give permissions to the >>>> 'Administrators' group and my E drive was completely empty. I also had to >>>> fixed issue #1 to get this issue to pop up. The error I am getting from >>>> the logfile is: >>>> >>>> The database cluster will be initialized with locale >>>> "English_United States.1252". >>>> The default text search configuration will be set to "english". >>>> >>>> fixing permissions on existing directory E:/dir/data ... ok >>>> creating subdirectories ... initdb: could not create directory >>>> "E:/dir": File exists >>>> initdb: removing contents of data directory "E:/dir/data" >>>> >>>> Called Die(Failed to initialise the database cluster with initdb)... >>>> Failed to initialise the database cluster with initdb >>>> >>>> Here are the slight differences between the icacls command to grant >>>> permissions to the root drive in 9.2.4 and 9.2.5: >>>> >>>> 9.2.4: icacls E:\ /grant ... >>>> 9.2.5: icacls "E:" /grant ... >>>> >>>> As your comment shows, having quotes around 'E:' and also not including >>>> the slash will cause an issue, both of which are not taken care of in the >>>> 9.2.5 icacls command. >>>> >>> >>> Sure. Will look into this. You ran into this issue during the >>> installation? Or when you run the initcluster script manually? >>> >>> >> I can reproduce this issue both ways. If you run the GUI installer >> with the E: drive completely empty and with the administrators group as the >> only group with permissions as I have given in the 'icacls E:\' command, >> you will first run into issue #1. To get issue #2, what I have done is >> explicitly create the postgres install directory if it does not exist and >> set read and write permissions on the directory. I do this before running >> the installer. >> >> I can run the same exact icacls command initcluster.vbs runs, and it >> passes with flying colors (for both 9.2.4 and 9.2.5). I even have saved >> off the radxxxx.bat file and have run that and it still passes with flying >> colors. The issue crops up when running the batch file within vb. Oddly >> enough, if I run the vb script a second time (not through the installer), >> it will give the correct permissions. So I think there is a bug in vb that >> initcluster.vbs is exploiting with the 'icacls "E:" ...' command. I have >> created a vb script that only has the doCmd(...) method in it and I pass in >> my own icacls command and I still get this issue. >> >>> >>>> Hopefully I have clearly stated the issues. If these issues have not >>>> been reported and there are any issues understanding what I wrote, feel >>>> free to reply to this email. >>>> >>>> thanks, >>>> David >>>> >>> >>> >>> >>> -- >>> Sandeep Thakkar >>> >>> >> > > > -- > Sandeep Thakkar > >
Re: permission issues with PostgreSQL 9.2 EnterpriseDB one-click installer on windows 7 causes initcluster to fail
From
Sandeep Thakkar
Date:
Thanks. This will be taken care of in the next updates. But, please note that all this ACL changes will be done only when "--enable_acledit 1" switch is provided on the command line when the installer is run. On Wed, Dec 18, 2013 at 8:31 PM, David Fleischhauer <dgfleisch@gmail.com>wrote: > > > > On Wed, Dec 18, 2013 at 2:58 AM, Sandeep Thakkar < > sandeep.thakkar@enterprisedb.com> wrote: > >> >> >> >> On Mon, Dec 16, 2013 at 9:26 PM, David Fleischhauer <dgfleisch@gmail.com>wrote: >> >>> I have added my comments inline as well: >>> >>> >>> On Mon, Dec 16, 2013 at 1:35 AM, Sandeep Thakkar < >>> sandeep.thakkar@enterprisedb.com> wrote: >>> >>>> Hi David >>>> >>>> Thanks for checking and reporting this. Before we proceed, we would >>>> like some more information. Please see the comments inline. >>>> >>>> >>>> On Fri, Dec 13, 2013 at 11:00 PM, david fleischhauer < >>>> dgfleisch@gmail.com> wrote: >>>> >>>>> I have noted two bugs dealing with permissions with the EnterpriseDB >>>>> one-click installer. Both are similar cases: >>>>> >>>> >>>>> 1. Permissions are not given to the PostgreSQL bin directory. If I >>>>> try to install postgres on a drive with limited permissions (for my test, >>>>> only the 'Administrators' group had permissions), I get an error saying >>>>> "libintl-8.dll" is missing. That file is located in the postgres bin >>>>> directory. The issue is that your initcluster.vbs script only gives >>>>> permissions for the data directory and the parent directories of the data >>>>> directory. In order for postgres to install correctly, permissions need to >>>>> be added for the bin directory. >>>>> >>>> >>>> initcluster.vbs is supposed to deal only with the cluster directory and >>>> it's permissions. Could you list the ACL on the E:\ drive please? Command >>>> line output will do. (icacls E:\) >>>> >>> >>> E:\>icacls E:\ >>> E:\ BUILTIN\Administrators:(OI)(CI)(F) >>> >>> Successfully processed 1 files; Failed processing 0 files >>> >>> I understand your reasoning that initcluster.vbs should only deal >>> with permissions related to the data directory, but in order to create the >>> data cluster, you need to run initdb which is in the bin directory. I am >>> assuming my issue is related to the initdb command using dll libraries in >>> the bin directory that it cannot find because the current logged in user >>> does not have read rights to the bin directory. Giving read rights to the >>> bin directory before running initcluster.vbs fixes my issue. This issue >>> affects the default GUI installer too. The GUI installer never sets >>> permissions for the bin directory. One thing to note, all of my testing >>> has been done with a data directory that is not a sibling of the bin >>> directory. I do not think this is necessary to reproduce the problem but I >>> have done that to ensure the icacls commands on the data directory does not >>> interfere with the permissions of the bin directory and mask the problem >>> somehow. >>> >>>> >>>>> >>>> You mean your installation location and the data directory location was >> on different drives? Or just the different paths in E:\? >> > > They can be on different drive if you want them to be, or they can just be > on different paths in the same directory. For instance: > > Postgres Bin Dir: E:\dir\PostgreSQL\9.2\bin > Postgres Data Dir: E:\dir\data > > the point is to get a situation where initcluster.vbs does not give > permissions to bin directory's parent (i.e. E:\dir\PostgreSQL\9.2). > initcluster.vbs would only give permissions to that directory if the data > dir is a sibling of the bin directory (i.e. E:\dir\PostgreSQL\9.2\data) > > Here is a list of steps to follow to recreate the issue: > > 1. Empty out your E:\ drive so that there is nothing left in it. > 2. Right-click on the E:\ drive in an explorer window and click > "Properties" > 3. Click on the "Security" tab > 4. Click "Edit..." > 5. Click "Remove" for all "Group or User Names" except for > "Administrators (<cpuname>\Administrators)". If Administrators is not > listed,, add it. > 6. Click "Apply" and close out of all windows > 7. Double click on the postgres installer => > postgresql-9.2.5-1-windows-x64.exe. Make sure the installer is version > 9.2.5 or later > 8. When prompted for the installation directory, type in: > E:\dir\PostgreSQL\9.2\ > 9. When prompted for the data directory, type in: E:\dir\data > 10. Answer all the other questions. The installation should fail due to a > libintl-8.dll file not being found (issue #1). The file should be located > in the postgres bin directory > 11. Uninstall PostgreSQL 9.2 > 12. Repeat steps 1-6 > 13. Run the following commands: > mkdir "E:\dir\PostgreSQL\9.2\" > icacls "E:\dir\PostgreSQL\9.2\" /grant "NT > AUTHORITY\NetworkService":"(OI)(CI)RX" > icacls "E:\dir\PostgreSQL\9.2\" /grant "<logged-in > user>":"(OI)(CI)RX" > 14. Repeat steps 7-10. The installation should fail again, but give you a > different error (issue #2). > 15. Repeat steps 2 and 3. You should only see "Administrators > (<cpuname>\Administrators)" under "Group or User Names". Notice that no > permissions were granted for the "NT AUTHORITY\NetworkService" or the > logged in user. If you go to "E:\dir" and look at its security tab under > properties, you will see the logged in user present under "Group or User > Names", so the icacls command succeeded for "E:\dir". > > Now go into your temp directory and look at install-postgresql.log. You > will see the following error: > > > The database cluster will be initialized with locale "English_United > States.1252". > The default text search configuration will be set to "english". > > fixing permissions on existing directory E:/dir/data ... ok > creating subdirectories ... initdb: could not create directory > "E:/dir": File exists > initdb: removing contents of data directory "E:/dir/data" > > Called Die(Failed to initialise the database cluster with initdb)... > Failed to initialise the database cluster with initdb > > You will also see a little bit further up: > > Executing icacls to ensure the <logged-in user> account can read the > path E: > Executing batch file 'radAC52112.bat'... > processed file: E: > > Successfully processed 1 files; Failed processing 0 files > > Which leads you to believe it correctly gave permissions to the E: drive, > but as we confirmed earlier, it did not. If you follow these steps, > hopefully you will be able to recreate my issues. > > >> >>>>> 2. Permissions are not properly given to the PostgreSQL data >>>>> directory's root drive in PostgreSQL version 9.2.5 and up. In PostgreSQL >>>>> 9.2.4 there is a comment in the initcluster.vbs script saying: >>>>> >>>> >>>> Yes, In 9.2.5, initcluster script has undergone some changes because >>>> lot of people did not want the initcluster to change the permissions on the >>>> complete parent path of the data directory as icacls would take a lot of >>>> time to do this if that path contains huge number of files. Hence, from >>>> 9.2.5, by default the initcluster will change the permissions of just the >>>> 'data' directory. If user wants the ACL to be edited on the complete path, >>>> then he can do it with a new command line option "--enable_acledit 1". >>>> >>> >>> Yeah, the new flag is a good idea and changing the script is ok, its >>> just when it was changed, a really weird corner case that was explicitly >>> handled before is no longer being handled. >>> >> >> I executed the following command: >> icacls "E:" /grant "NT AUTHORITY\NetworkService":(NP)(RX) >> >> and this command worked fine. I used the double quotes around the drive >> and it does not end with slash. So, my guess is that the comment in the >> script is not relevant anymore? and the issue#2 also appears because of the >> permissions? >> > > If you open up a cmd windows and type icacls "E:" /grant "NT > AUTHORITY\NetworkService":(NP)(RX), it will pass and grant you the > correct permissions. How to get the error is to remove all permissions > from the drive except for the administrators group and run the > DoCmd(strCmd) method in VB. Here is the method for reference: > > ' Execute a command > Function DoCmd(strCmd) > Dim objBatchFile > Set objBatchFile = objTempFolder.CreateTextFile(strBatchFile, True) > objBatchFile.WriteLine "@ECHO OFF" > objBatchFile.WriteLine strCmd & " > """ & strOutputFile & """ 2>&1" > objBatchFile.WriteLine "EXIT /B %ERRORLEVEL%" > objBatchFile.Close > WScript.Echo " Executing batch file '" & strBatchFile & "'..." > DoCmd = objShell.Run(objTempFolder.Path & "\" & strBatchFile, 0, > True) > If objFso.FileExists(objTempFolder.Path & "\" & strBatchFile) = > True Then > objFso.DeleteFile objTempFolder.Path & "\" & strBatchFile, True > Else > WScript.Echo " Batch file '" & strBatchFile & "' does not > exist..." > End If > If objFso.FileExists(strOutputFile) = True Then > Dim objOutputFile > Set objOutputFile = objFso.OpenTextFile(strOutputFile, > ForReading) > WScript.Echo " " & objOutputFile.ReadAll > objOutputFile.Close > objFso.DeleteFile strOutputFile, True > Else > WScript.Echo " Output file does not exists..." > End If > End Function > > It first creates a batch file and writes three lines to it: > > @echo off > icacls ... > EXIT /B %ERRORLEVEL% > > then it calls: > > DoCmd = objShell.Run(objTempFolder.Path & "\" & strBatchFile, 0, True) > > if you pass in 'icacls "E:" /grant "NT AUTHORITY\NetworkService":(NP)(RX)' > to the DoCmd with an empty E:\ drive and the correct permissions, you will > see that the icacls command is executed and outputs that the command > passes. However, if you go back and look at the permissions on the E:\ > drive, you will see that the permissions actually did not get set. I > believe this is an issue with vb itself as the icacls command should not > pass when it obviously is failing. > > >>> >>>>> >>>> >>>>> ' Drive letter must not be surrounded by double-quotes and ends >>>>> with slash (\) >>>>> ' "icacls" fails on the drives with (NP) flag >>>>> >>>>> In version 9.2.5, the initcluster.vbs script has been changed and the >>>>> above corner case is not taken care of. Again, to reproduce this issue, I >>>>> set the E drive of my machine to only give permissions to the >>>>> 'Administrators' group and my E drive was completely empty. I also had to >>>>> fixed issue #1 to get this issue to pop up. The error I am getting from >>>>> the logfile is: >>>>> >>>>> The database cluster will be initialized with locale >>>>> "English_United States.1252". >>>>> The default text search configuration will be set to "english". >>>>> >>>>> fixing permissions on existing directory E:/dir/data ... ok >>>>> creating subdirectories ... initdb: could not create directory >>>>> "E:/dir": File exists >>>>> initdb: removing contents of data directory "E:/dir/data" >>>>> >>>>> Called Die(Failed to initialise the database cluster with >>>>> initdb)... >>>>> Failed to initialise the database cluster with initdb >>>>> >>>>> Here are the slight differences between the icacls command to grant >>>>> permissions to the root drive in 9.2.4 and 9.2.5: >>>>> >>>>> 9.2.4: icacls E:\ /grant ... >>>>> 9.2.5: icacls "E:" /grant ... >>>>> >>>>> As your comment shows, having quotes around 'E:' and also not >>>>> including the slash will cause an issue, both of which are not taken care >>>>> of in the 9.2.5 icacls command. >>>>> >>>> >>>> Sure. Will look into this. You ran into this issue during the >>>> installation? Or when you run the initcluster script manually? >>>> >>>> >>> I can reproduce this issue both ways. If you run the GUI installer >>> with the E: drive completely empty and with the administrators group as the >>> only group with permissions as I have given in the 'icacls E:\' command, >>> you will first run into issue #1. To get issue #2, what I have done is >>> explicitly create the postgres install directory if it does not exist and >>> set read and write permissions on the directory. I do this before running >>> the installer. >>> >>> I can run the same exact icacls command initcluster.vbs runs, and it >>> passes with flying colors (for both 9.2.4 and 9.2.5). I even have saved >>> off the radxxxx.bat file and have run that and it still passes with flying >>> colors. The issue crops up when running the batch file within vb. Oddly >>> enough, if I run the vb script a second time (not through the installer), >>> it will give the correct permissions. So I think there is a bug in vb that >>> initcluster.vbs is exploiting with the 'icacls "E:" ...' command. I have >>> created a vb script that only has the doCmd(...) method in it and I pass in >>> my own icacls command and I still get this issue. >>> >>>> >>>>> Hopefully I have clearly stated the issues. If these issues have not >>>>> been reported and there are any issues understanding what I wrote, feel >>>>> free to reply to this email. >>>>> >>>>> thanks, >>>>> David >>>>> >>>> >>>> >>>> >>>> -- >>>> Sandeep Thakkar >>>> >>>> >>> >> >> >> -- >> Sandeep Thakkar >> >> > > -- Sandeep Thakkar
Re: permission issues with PostgreSQL 9.2 EnterpriseDB one-click installer on windows 7 causes initcluster to fail
From
David Fleischhauer
Date:
Thanks for fixing it! I will be looking out for the change in later release= s. > On Jan 21, 2014, at 3:51 AM, Sandeep Thakkar <sandeep.thakkar@enterprisedb= .com> wrote: >=20 > Thanks. This will be taken care of in the next updates. But, please note t= hat all this ACL changes will be done only when "--enable_acledit 1" switch i= s provided on the command line when the installer is run. >=20 >=20 >> On Wed, Dec 18, 2013 at 8:31 PM, David Fleischhauer <dgfleisch@gmail.com>= wrote: >>=20 >>=20 >>=20 >>> On Wed, Dec 18, 2013 at 2:58 AM, Sandeep Thakkar <sandeep.thakkar@enterp= risedb.com> wrote: >>>=20 >>>=20 >>>=20 >>>> On Mon, Dec 16, 2013 at 9:26 PM, David Fleischhauer <dgfleisch@gmail.co= m> wrote: >>>> I have added my comments inline as well: >>>>=20 >>>>=20 >>>>> On Mon, Dec 16, 2013 at 1:35 AM, Sandeep Thakkar <sandeep.thakkar@ente= rprisedb.com> wrote: >>>>> Hi David >>>>>=20 >>>>> Thanks for checking and reporting this. Before we proceed, we would li= ke some more information. Please see the comments inline. >>>>>=20 >>>>>=20 >>>>>> On Fri, Dec 13, 2013 at 11:00 PM, david fleischhauer <dgfleisch@gmail= .com> wrote: >>>>>> I have noted two bugs dealing with permissions with the EnterpriseDB o= ne-click installer. Both are similar cases: >>>>>>=20 >>>>>> 1. Permissions are not given to the PostgreSQL bin directory. If I t= ry to install postgres on a drive with limited permissions (for my test, onl= y the 'Administrators' group had permissions), I get an error saying "libint= l-8.dll" is missing. That file is located in the postgres bin directory. T= he issue is that your initcluster.vbs script only gives permissions for the d= ata directory and the parent directories of the data directory. In order fo= r postgres to install correctly, permissions need to be added for the bin di= rectory. >>>>>=20 >>>>> initcluster.vbs is supposed to deal only with the cluster directory an= d it's permissions. Could you list the ACL on the E:\ drive please? Command l= ine output will do. (icacls E:\)=20 >>>>=20 >>>>=20 >>>> E:\>icacls E:\ >>>> E:\ BUILTIN\Administrators:(OI)(CI)(F) >>>>=20 >>>> Successfully processed 1 files; Failed processing 0 files >>>>=20 >>>> I understand your reasoning that initcluster.vbs should only deal w= ith permissions related to the data directory, but in order to create the da= ta cluster, you need to run initdb which is in the bin directory. I am assu= ming my issue is related to the initdb command using dll libraries in the bi= n directory that it cannot find because the current logged in user does not h= ave read rights to the bin directory. Giving read rights to the bin directo= ry before running initcluster.vbs fixes my issue. This issue affects the de= fault GUI installer too. The GUI installer never sets permissions for the b= in directory. One thing to note, all of my testing has been done with a dat= a directory that is not a sibling of the bin directory. I do not think this= is necessary to reproduce the problem but I have done that to ensure the ic= acls commands on the data directory does not interfere with the permissions o= f the bin directory and mask the problem somehow. >>>=20 >>> You mean your installation location and the data directory location was o= n different drives? Or just the different paths in E:\?=20 >>=20 >>=20 >> They can be on different drive if you want them to be, or they can just b= e on different paths in the same directory. For instance: >>=20 >> Postgres Bin Dir: E:\dir\PostgreSQL\9.2\bin >> Postgres Data Dir: E:\dir\data >>=20 >> the point is to get a situation where initcluster.vbs does not give permi= ssions to bin directory's parent (i.e. E:\dir\PostgreSQL\9.2). initcluster.= vbs would only give permissions to that directory if the data dir is a sibli= ng of the bin directory (i.e. E:\dir\PostgreSQL\9.2\data) >>=20 >> Here is a list of steps to follow to recreate the issue: >>=20 >> 1. Empty out your E:\ drive so that there is nothing left in it. >> 2. Right-click on the E:\ drive in an explorer window and click "Propert= ies" >> 3. Click on the "Security" tab >> 4. Click "Edit..." >> 5. Click "Remove" for all "Group or User Names" except for "Administrato= rs (<cpuname>\Administrators)". If Administrators is not listed,, add it. >> 6. Click "Apply" and close out of all windows >> 7. Double click on the postgres installer =3D> postgresql-9.2.5-1-window= s-x64.exe. Make sure the installer is version 9.2.5 or later >> 8. When prompted for the installation directory, type in: E:\dir\Postgr= eSQL\9.2\ >> 9. When prompted for the data directory, type in: E:\dir\data >> 10. Answer all the other questions. The installation should fail due to a= libintl-8.dll file not being found (issue #1). The file should be located i= n the postgres bin directory >> 11. Uninstall PostgreSQL 9.2 >> 12. Repeat steps 1-6 >> 13. Run the following commands: =20 >> mkdir "E:\dir\PostgreSQL\9.2\" >> icacls "E:\dir\PostgreSQL\9.2\" /grant "NT AUTHORITY\Networ= kService":"(OI)(CI)RX" >> icacls "E:\dir\PostgreSQL\9.2\" /grant "<logged-in user>":"= (OI)(CI)RX" >> 14. Repeat steps 7-10. The installation should fail again, but give you a= different error (issue #2). >> 15. Repeat steps 2 and 3. You should only see "Administrators (<cpuname>= \Administrators)" under "Group or User Names". Notice that no permissions w= ere granted for the "NT AUTHORITY\NetworkService" or the logged in user. If= you go to "E:\dir" and look at its security tab under properties, you will s= ee the logged in user present under "Group or User Names", so the icacls com= mand succeeded for "E:\dir". >>=20 >> Now go into your temp directory and look at install-postgresql.log. You w= ill see the following error: >>=20 >>=20 >> The database cluster will be initialized with locale "English_United S= tates.1252". >> The default text search configuration will be set to "english". >>=20 >> fixing permissions on existing directory E:/dir/data ... ok >> creating subdirectories ... initdb: could not create directory "E:/di= r": File exists >> initdb: removing contents of data directory "E:/dir/data" >>=20 >> Called Die(Failed to initialise the database cluster with initdb)... >> Failed to initialise the database cluster with initdb >>=20 >> You will also see a little bit further up: >>=20 >> Executing icacls to ensure the <logged-in user> account can read the p= ath E: >> Executing batch file 'radAC52112.bat'... >> processed file: E: >>=20 >> Successfully processed 1 files; Failed processing 0 files >>=20 >> Which leads you to believe it correctly gave permissions to the E: drive,= but as we confirmed earlier, it did not. If you follow these steps, hopefu= lly you will be able to recreate my issues. >> =20 >>>>>>=20 >>>>>> 2. Permissions are not properly given to the PostgreSQL data directo= ry's root drive in PostgreSQL version 9.2.5 and up. In PostgreSQL 9.2.4 the= re is a comment in the initcluster.vbs script saying: >>>>>=20 >>>>> Yes, In 9.2.5, initcluster script has undergone some changes because l= ot of people did not want the initcluster to change the permissions on the c= omplete parent path of the data directory as icacls would take a lot of time= to do this if that path contains huge number of files. Hence, from 9.2.5, b= y default the initcluster will change the permissions of just the 'data' dir= ectory. If user wants the ACL to be edited on the complete path, then he can= do it with a new command line option "--enable_acledit 1". >>>>=20 >>>> Yeah, the new flag is a good idea and changing the script is ok, its ju= st when it was changed, a really weird corner case that was explicitly handl= ed before is no longer being handled. >>>=20 >>> I executed the following command: >>> icacls "E:" /grant "NT AUTHORITY\NetworkService":(NP)(RX)=20 >>>=20 >>> and this command worked fine. I used the double quotes around the drive a= nd it does not end with slash. So, my guess is that the comment in the scrip= t is not relevant anymore? and the issue#2 also appears because of the permi= ssions? >>=20 >> If you open up a cmd windows and type icacls "E:" /grant "NT AUTHORITY\N= etworkService":(NP)(RX), it will pass and grant you the correct permissions.= How to get the error is to remove all permissions from the drive except fo= r the administrators group and run the DoCmd(strCmd) method in VB. Here is t= he method for reference: >>=20 >> ' Execute a command >> Function DoCmd(strCmd) >> Dim objBatchFile >> Set objBatchFile =3D objTempFolder.CreateTextFile(strBatchFile, T= rue) >> objBatchFile.WriteLine "@ECHO OFF" >> objBatchFile.WriteLine strCmd & " > """ & strOutputFile & """ 2>&= 1" >> objBatchFile.WriteLine "EXIT /B %ERRORLEVEL%" >> objBatchFile.Close >> WScript.Echo " Executing batch file '" & strBatchFile & "'..."= >> DoCmd =3D objShell.Run(objTempFolder.Path & "\" & strBatchFile, 0= , True) >> If objFso.FileExists(objTempFolder.Path & "\" & strBatchFile) =3D= True Then >> objFso.DeleteFile objTempFolder.Path & "\" & strBatchFile, Tr= ue >> Else >> WScript.Echo " Batch file '" & strBatchFile & "' does not e= xist..." >> End If >> If objFso.FileExists(strOutputFile) =3D True Then >> Dim objOutputFile >> Set objOutputFile =3D objFso.OpenTextFile(strOutputFile, ForR= eading) >> WScript.Echo " " & objOutputFile.ReadAll >> objOutputFile.Close >> objFso.DeleteFile strOutputFile, True >> Else >> WScript.Echo " Output file does not exists..." >> End If >> End Function >>=20 >> It first creates a batch file and writes three lines to it: >>=20 >> @echo off >> icacls ... >> EXIT /B %ERRORLEVEL% >>=20 >> then it calls: >>=20 >> DoCmd =3D objShell.Run(objTempFolder.Path & "\" & strBatchFile, 0, Tr= ue) >>=20 >> if you pass in 'icacls "E:" /grant "NT AUTHORITY\NetworkService":(NP)(RX= )' to the DoCmd with an empty E:\ drive and the correct permissions, you wil= l see that the icacls command is executed and outputs that the command passe= s. However, if you go back and look at the permissions on the E:\ drive, yo= u will see that the permissions actually did not get set. I believe this is= an issue with vb itself as the icacls command should not pass when it obvio= usly is failing. >>=20 >>>>=20 >>>>>> =20 >>>>>>=20 >>>>>> ' Drive letter must not be surrounded by double-quotes and ends w= ith slash (\) >>>>>> ' "icacls" fails on the drives with (NP) flag >>>>>>=20 >>>>>> In version 9.2.5, the initcluster.vbs script has been changed and the= above corner case is not taken care of. Again, to reproduce this issue, I s= et the E drive of my machine to only give permissions to the 'Administrators= ' group and my E drive was completely empty. I also had to fixed issue #1 t= o get this issue to pop up. The error I am getting from the logfile is: >>>>>>=20 >>>>>> The database cluster will be initialized with locale "English_Uni= ted States.1252". >>>>>> The default text search configuration will be set to "english". >>>>>>=20 >>>>>> fixing permissions on existing directory E:/dir/data ... ok >>>>>> creating subdirectories ... initdb: could not create directory "E= :/dir": File exists >>>>>> initdb: removing contents of data directory "E:/dir/data" >>>>>>=20 >>>>>> Called Die(Failed to initialise the database cluster with initdb)= ... >>>>>> Failed to initialise the database cluster with initdb >>>>>>=20 >>>>>> Here are the slight differences between the icacls command to grant p= ermissions to the root drive in 9.2.4 and 9.2.5: >>>>>>=20 >>>>>> 9.2.4: icacls E:\ /grant ... >>>>>> 9.2.5: icacls "E:" /grant ... >>>>>>=20 >>>>>> As your comment shows, having quotes around 'E:' and also not includi= ng the slash will cause an issue, both of which are not taken care of in the= 9.2.5 icacls command. >>>>>=20 >>>>> Sure. Will look into this. You ran into this issue during the installa= tion? Or when you run the initcluster script manually? >>>>=20 >>>> I can reproduce this issue both ways. If you run the GUI installer wi= th the E: drive completely empty and with the administrators group as the on= ly group with permissions as I have given in the 'icacls E:\' command, you w= ill first run into issue #1. To get issue #2, what I have done is explicitl= y create the postgres install directory if it does not exist and set read an= d write permissions on the directory. I do this before running the installe= r. >>>>=20 >>>> I can run the same exact icacls command initcluster.vbs runs, and it pa= sses with flying colors (for both 9.2.4 and 9.2.5). I even have saved off t= he radxxxx.bat file and have run that and it still passes with flying colors= . The issue crops up when running the batch file within vb. Oddly enough, i= f I run the vb script a second time (not through the installer), it will giv= e the correct permissions. So I think there is a bug in vb that initcluster= .vbs is exploiting with the 'icacls "E:" ...' command. I have created a vb s= cript that only has the doCmd(...) method in it and I pass in my own icacls c= ommand and I still get this issue. >>>>>>=20 >>>>>> Hopefully I have clearly stated the issues. If these issues have not= been reported and there are any issues understanding what I wrote, feel fre= e to reply to this email. >>>>>>=20 >>>>>> thanks, >>>>>> David >>>>>=20 >>>>>=20 >>>>>=20 >>>>> --=20 >>>>> Sandeep Thakkar >>>=20 >>>=20 >>>=20 >>> --=20 >>> Sandeep Thakkar >=20 >=20 >=20 > --=20 > Sandeep Thakkar >=20