Thread: initdb failed on Windows 2000
Hi, I have compiled PostgreSQL 8.2.4 with MinGW on Windows 2000. Then I have executed initdb as Administrator. However initdb failed with the following message. ---- The program "postgres" is needed by initdb but was not found in the same directory as "C:\msys\1.0\local\pgsql\bin/initdb". Check your installation. ---- So, I have debugged initdb.exe. I found that CreatePipe() was failed with ERROR_ACCESS_DENIED in exec.c:pipe_read_line(). Does anyone know why CreatePipe() was failed with ERROR_ACCESS_DENIED? Or is there a way that Administrator can execute initdb.exe on Windows 2000? Regards, -- Yoshiyuki Asaba y-asaba@sraoss.co.jp
Hi,
From: Yoshiyuki Asaba <y-asaba@sraoss.co.jp>
Subject: [HACKERS] initdb failed on Windows 2000
Date: Mon, 27 Aug 2007 20:46:35 +0900 (JST)
> I have compiled PostgreSQL 8.2.4 with MinGW on Windows 2000. Then I
> have executed initdb as Administrator. However initdb failed with the
> following message.
>
> ----
> The program "postgres" is needed by initdb but was not found in the
> same directory as "C:\msys\1.0\local\pgsql\bin/initdb".
> Check your installation.
> ----
>
> So, I have debugged initdb.exe. I found that CreatePipe() was failed
> with ERROR_ACCESS_DENIED in exec.c:pipe_read_line().
The attached files are test programs.
% gcc -o child.exe child.c % gcc -o parent.exe parent.c
When parent.exe is executed by Power Users or Users, the result is
good. However, CreatePipe() is failed when Administrator do.
% ./parent.exe CreatePipe() failed: 5
Regards,
--
Yoshiyuki Asaba
y-asaba@sraoss.co.jp
#include <stdio.h>
#include <windows.h>
typedef BOOL(WINAPI * __CreateRestrictedToken) (HANDLE, DWORD, DWORD, PSID_AND_ATTRIBUTES, DWORD,
PLUID_AND_ATTRIBUTES,DWORD, PSID_AND_ATTRIBUTES, PHANDLE);
#define DISABLE_MAX_PRIVILEGE 0x1
/** Create a restricted token and execute the specified process with it.** Returns 0 on failure, non-zero on success,
sameas CreateProcess().** On NT4, or any other system not containing the required functions, will* NOT execute
anything.*/
static int
CreateRestrictedProcess(char *cmd)
{BOOL b;STARTUPINFO si;HANDLE origToken;HANDLE restrictedToken;SID_IDENTIFIER_AUTHORITY
NtAuthority= {SECURITY_NT_AUTHORITY};SID_AND_ATTRIBUTES dropSids[2];__CreateRestrictedToken _CreateRestrictedToken =
NULL;HANDLE Advapi32Handle;PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));ZeroMemory(&si, sizeof(si));si.cb = sizeof(si);
Advapi32Handle = LoadLibrary("ADVAPI32.DLL");if (Advapi32Handle != NULL){ _CreateRestrictedToken =
(__CreateRestrictedToken)GetProcAddress(Advapi32Handle, "CreateRestrictedToken");}
if (_CreateRestrictedToken == NULL){ fprintf(stderr, "WARNING: Unable to create restricted tokens on this
platform\n"); if (Advapi32Handle != NULL) FreeLibrary(Advapi32Handle); return 0;}
/* Open the current token to use as a base for the restricted one */if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ALL_ACCESS,&origToken)){ fprintf(stderr, "Failed to open process token: %lu\n", GetLastError()); return
0;}
/* Allocate list of SIDs to remove */ZeroMemory(&dropSids, sizeof(dropSids));if
(!AllocateAndInitializeSid(&NtAuthority,2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0,
0, &dropSids[0].Sid) || !AllocateAndInitializeSid(&NtAuthority,
2,SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_ALIAS_RID_POWER_USERS, 0, 0, 0, 0, 0, 0,
&dropSids[1].Sid)){ fprintf(stderr, "Failed to allocate SIDs: %lu\n", GetLastError()); return 0;}
b = _CreateRestrictedToken(origToken, DISABLE_MAX_PRIVILEGE,
sizeof(dropSids)/ sizeof(dropSids[0]), dropSids, 0, NULL,
0, NULL, &restrictedToken);
FreeSid(dropSids[1].Sid);FreeSid(dropSids[0].Sid);CloseHandle(origToken);FreeLibrary(Advapi32Handle);
if (!b){ fprintf(stderr, "Failed to create restricted token: %lu\n", GetLastError()); return 0;}
CreateProcessAsUser(restrictedToken, NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
WaitForSingleObject(pi.hProcess,INFINITE);CloseHandle(pi.hThread);CloseHandle(pi.hProcess);return 0;
}
int main(void)
{CreateRestrictedProcess("child.exe");return 0;
}
#include <stdio.h>
#include <windows.h>
int main(void)
{ SECURITY_ATTRIBUTES sattr;HANDLE childstdoutrd, childstdoutwr, childstdoutrddup,
file,pipe;PROCESS_INFORMATION pi;STARTUPINFO si;
sattr.nLength = sizeof(SECURITY_ATTRIBUTES);sattr.bInheritHandle = TRUE;sattr.lpSecurityDescriptor = NULL;
SetLastError(0); if (!CreatePipe(&childstdoutrd, &childstdoutwr, &sattr, 0)) printf("CreatePipe() failed:
%lu\n",GetLastError()); else puts("ok");
CloseHandle(childstdoutrd); CloseHandle(childstdoutwr);
return 0;
}
Yoshiyuki Asaba wrote: > >> I have compiled PostgreSQL 8.2.4 with MinGW on Windows 2000. Then I >> have executed initdb as Administrator. However initdb failed with the >> following message. >> >> ---- >> The program "postgres" is needed by initdb but was not found in the >> same directory as "C:\msys\1.0\local\pgsql\bin/initdb". >> Check your installation. >> ---- >> >> So, I have debugged initdb.exe. I found that CreatePipe() was failed >> with ERROR_ACCESS_DENIED in exec.c:pipe_read_line(). >> > > The attached files are test programs. > > % gcc -o child.exe child.c > % gcc -o parent.exe parent.c > > When parent.exe is executed by Power Users or Users, the result is > good. However, CreatePipe() is failed when Administrator do. > > % ./parent.exe > CreatePipe() failed: 5 > > > What do you want us to do about it? Isn't this a case of "don't do that, then"? Run initdb as some other user. We don't let you run initdb as root on Unix, so we're just being consistent. In fact, we're being more liberal on Windows than on Unix because we make some provision for the restricted token gadget. cheers andrew
Hi, From: Andrew Dunstan <andrew@dunslane.net> Subject: Re: [HACKERS] initdb failed on Windows 2000 Date: Wed, 29 Aug 2007 08:57:55 -0400 > What do you want us to do about it? Isn't this a case of "don't do that, > then"? Run initdb as some other user. We don't let you run initdb as > root on Unix, so we're just being consistent. In fact, we're being more > liberal on Windows than on Unix because we make some provision for the > restricted token gadget. Administrator can run initdb on Windows XP, Server 2003 and Vista. Is this right? -- Yoshiyuki Asaba y-asaba@sraoss.co.jp
Yoshiyuki Asaba wrote: > > > Administrator can run initdb on Windows XP, Server 2003 and Vista. > Is this right? > > > Well, I gave up on trying to get Vista to work, and I found I needed a non-Administrator user to run my new buildfarm member on XP-Pro, so I am means sure it is right. cheers andrew
I wrote: > > > so I am means sure it is right. > > I meant, of course, "so I am by no means sure it is right" That's what I get for multitasking. cheers andrew
On Wed, Aug 29, 2007 at 08:57:55AM -0400, Andrew Dunstan wrote: > > > Yoshiyuki Asaba wrote: > > > >>I have compiled PostgreSQL 8.2.4 with MinGW on Windows 2000. Then I > >>have executed initdb as Administrator. However initdb failed with the > >>following message. > >> > >>---- > >>The program "postgres" is needed by initdb but was not found in the > >>same directory as "C:\msys\1.0\local\pgsql\bin/initdb". > >>Check your installation. > >>---- > >> > >>So, I have debugged initdb.exe. I found that CreatePipe() was failed > >>with ERROR_ACCESS_DENIED in exec.c:pipe_read_line(). > >> > > > >The attached files are test programs. > > > > % gcc -o child.exe child.c > > % gcc -o parent.exe parent.c > > > >When parent.exe is executed by Power Users or Users, the result is > >good. However, CreatePipe() is failed when Administrator do. > > > > % ./parent.exe > > CreatePipe() failed: 5 > > > > > > > > What do you want us to do about it? Isn't this a case of "don't do that, > then"? Run initdb as some other user. We don't let you run initdb as > root on Unix, so we're just being consistent. In fact, we're being more > liberal on Windows than on Unix because we make some provision for the > restricted token gadget. FWIW, I regularly run initdb as administrator, and it works perfectly fine. So what you need to do is to try to figure out *why* CreatePipe() fails. Process Monitor or a debugger might help. //Magnus
Hi, From: Magnus Hagander <magnus@hagander.net> Subject: Re: [HACKERS] initdb failed on Windows 2000 Date: Thu, 30 Aug 2007 10:14:45 +0200 > On Wed, Aug 29, 2007 at 08:57:55AM -0400, Andrew Dunstan wrote: > > > > > > Yoshiyuki Asaba wrote: > > > > > >>I have compiled PostgreSQL 8.2.4 with MinGW on Windows 2000. Then I > > >>have executed initdb as Administrator. However initdb failed with the > > >>following message. > > >> > > >>---- > > >>The program "postgres" is needed by initdb but was not found in the > > >>same directory as "C:\msys\1.0\local\pgsql\bin/initdb". > > >>Check your installation. > > >>---- > > >> > > >>So, I have debugged initdb.exe. I found that CreatePipe() was failed > > >>with ERROR_ACCESS_DENIED in exec.c:pipe_read_line(). > > >> > > > > > >The attached files are test programs. > > > > > > % gcc -o child.exe child.c > > > % gcc -o parent.exe parent.c > > > > > >When parent.exe is executed by Power Users or Users, the result is > > >good. However, CreatePipe() is failed when Administrator do. > > > > > > % ./parent.exe > > > CreatePipe() failed: 5 > > > > > > > > > > > > > What do you want us to do about it? Isn't this a case of "don't do that, > > then"? Run initdb as some other user. We don't let you run initdb as > > root on Unix, so we're just being consistent. In fact, we're being more > > liberal on Windows than on Unix because we make some provision for the > > restricted token gadget. > > FWIW, I regularly run initdb as administrator, and it works perfectly fine. Hmm... I found the same report. http://archives.postgresql.org/pgsql-bugs/2007-02/msg00083.php > So what you need to do is to try to figure out *why* CreatePipe() fails. > Process Monitor or a debugger might help. OK, I'll try it. Thank you! -- Yoshiyuki Asaba y-asaba@sraoss.co.jp