Postgres Pro
Downloads
Home   >   mailing lists

Thread: Re: PgSQL not as Administrator - probs on w

Re: PgSQL not as Administrator - probs on w

From
"Magnus Hagander"
Date:
>> I ran into this same problem with doing the installer - it
>needs to call
>> initdb, and the installer runs as high-priv account... Haven't quite
>> figured out how to handle that now - the snapshot I'm working off at
>> home only does initdb on 2000/XP/2003 for the moment. If
>someone has any
>> good ideas on this, please let me know.
>>
>> //Magnus
>
>Sounds like you need
>
>LogonUser
>ImpersonateLoggedonUser
>CreateProcessAsUser
>
>function calls to behave as a low priv user or launch a
>program as a low priv user.
>
>I have never used these myself, but a quick scan through MSDN
>suggests they may be
>what you need.
>
>You may have already tried these of course!

The priv causing the problem is ReplaceProcessLevelToken. And the
problem is not activagting it, the problem is that it's not granted at
all by defualt.
IIRC CreateProcessAsUser is the one being used by 2k/XP with the
CreateProcessAndLogin() API (I may have misspelled that one, but it's
something like that)

//Magnus

Re: PgSQL not as Administrator - probs on w

From
"Gary Doades"
Date:
On 2 Jul 2004 at 17:42, Magnus Hagander wrote:

> The priv causing the problem is ReplaceProcessLevelToken. And the
> problem is not activagting it, the problem is that it's not granted at
> all by defualt.
> IIRC CreateProcessAsUser is the one being used by 2k/XP with the
> CreateProcessAndLogin() API (I may have misspelled that one, but it's
> something like that)
>
> //Magnus
>

I see.

Privileges and security descriptors in NT+ are a real pain to manipulate in code.

Digging deeper....

I think the call you refer to is CreateProcessWithLogonW(). This is only available with
2000/XP/2003 and not NT. With NT you must use the functions I mentioned earlier and
you need certain privs.
Apprently there is a utility in Windows NT Server 4.0 Resource Kit Supplement 3
(free distribution AFAIK) called ntrights.exe. With this you could call it from
your installer to grant the SeAssignPrimaryTokenPrivilege which corresponds to
the display name "Replace a process level token".
I don't have access to the resource kit at the moment as I am home for the
weekend. If its not downloadable I should be ablt to get it on monday. It's
probably not an ideal solution, but it looks like it should work.

Cheers,
Gary.

Re: PgSQL not as Administrator - probs on w

From
"Gary Doades"
Date:
On 2 Jul 2004 at 17:42, Magnus Hagander wrote:

> The priv causing the problem is ReplaceProcessLevelToken. And the
> problem is not activagting it, the problem is that it's not granted at
> all by defualt.
> IIRC CreateProcessAsUser is the one being used by 2k/XP with the
> CreateProcessAndLogin() API (I may have misspelled that one, but
it's
> something like that)
>
> //Magnus
>

I think you can call LookupPrivilegeValue() using
SE_ASSIGNPRIMARYTOKEN_NAME

as the privilege constant and then call AdjustTokenPrivileges() on the
handle returned  from LogonUser before doing the impersonation or
CreateProcessAsUser.

I don't have time to try right now, but I may have a go to see if this
works tomorrow. I  don't have access to an NT machine though, so I
could only test to see that it gave no  errors on 2000 pro XP.

Cheers,
Gary.