Re: initdb failed on Windows 2000 - Mailing list pgsql-hackers

Hi,

From: Yoshiyuki Asaba <y-asaba@sraoss.co.jp>
Subject: [HACKERS] initdb failed on Windows 2000
Date: Mon, 27 Aug 2007 20:46:35 +0900 (JST)

> I have compiled PostgreSQL 8.2.4 with MinGW on Windows 2000. Then I
> have executed initdb as Administrator. However initdb failed with the
> following message.
> 
> ----
> The program "postgres" is needed by initdb but was not found in the
> same directory as "C:\msys\1.0\local\pgsql\bin/initdb".
> Check your installation.
> ----
> 
> So, I have debugged initdb.exe. I found that CreatePipe() was failed
> with ERROR_ACCESS_DENIED in exec.c:pipe_read_line().

The attached files are test programs.
 % gcc -o child.exe child.c % gcc -o parent.exe parent.c

When parent.exe is executed by Power Users or Users, the result is
good. However, CreatePipe() is failed when Administrator do.
 % ./parent.exe CreatePipe() failed: 5

Regards,
--
Yoshiyuki Asaba
y-asaba@sraoss.co.jp
#include <stdio.h>
#include <windows.h>

typedef        BOOL(WINAPI * __CreateRestrictedToken) (HANDLE, DWORD, DWORD, PSID_AND_ATTRIBUTES, DWORD,
PLUID_AND_ATTRIBUTES,DWORD, PSID_AND_ATTRIBUTES, PHANDLE);
 

#define DISABLE_MAX_PRIVILEGE    0x1

/** Create a restricted token and execute the specified process with it.** Returns 0 on failure, non-zero on success,
sameas CreateProcess().** On NT4, or any other system not containing the required functions, will* NOT execute
anything.*/
static int
CreateRestrictedProcess(char *cmd)
{BOOL        b;STARTUPINFO si;HANDLE        origToken;HANDLE        restrictedToken;SID_IDENTIFIER_AUTHORITY
NtAuthority= {SECURITY_NT_AUTHORITY};SID_AND_ATTRIBUTES dropSids[2];__CreateRestrictedToken _CreateRestrictedToken =
NULL;HANDLE       Advapi32Handle;PROCESS_INFORMATION pi;
 
ZeroMemory(&pi, sizeof(pi));ZeroMemory(&si, sizeof(si));si.cb = sizeof(si);
Advapi32Handle = LoadLibrary("ADVAPI32.DLL");if (Advapi32Handle != NULL){    _CreateRestrictedToken =
(__CreateRestrictedToken)GetProcAddress(Advapi32Handle, "CreateRestrictedToken");}
 
if (_CreateRestrictedToken == NULL){    fprintf(stderr, "WARNING: Unable to create restricted tokens on this
platform\n");   if (Advapi32Handle != NULL)        FreeLibrary(Advapi32Handle);    return 0;}
 
/* Open the current token to use as a base for the restricted one */if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ALL_ACCESS,&origToken)){    fprintf(stderr, "Failed to open process token: %lu\n", GetLastError());    return
0;}
/* Allocate list of SIDs to remove */ZeroMemory(&dropSids, sizeof(dropSids));if
(!AllocateAndInitializeSid(&NtAuthority,2,     SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0,
                        0, &dropSids[0].Sid) ||    !AllocateAndInitializeSid(&NtAuthority,
2,SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_ALIAS_RID_POWER_USERS, 0, 0, 0, 0, 0,                              0,
&dropSids[1].Sid)){   fprintf(stderr, "Failed to allocate SIDs: %lu\n", GetLastError());    return 0;}
 
b = _CreateRestrictedToken(origToken,                           DISABLE_MAX_PRIVILEGE,
sizeof(dropSids)/ sizeof(dropSids[0]),                           dropSids,                           0, NULL,
               0, NULL,                           &restrictedToken);
 
FreeSid(dropSids[1].Sid);FreeSid(dropSids[0].Sid);CloseHandle(origToken);FreeLibrary(Advapi32Handle);
if (!b){    fprintf(stderr, "Failed to create restricted token: %lu\n", GetLastError());    return 0;}
       CreateProcessAsUser(restrictedToken, NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
WaitForSingleObject(pi.hProcess,INFINITE);CloseHandle(pi.hThread);CloseHandle(pi.hProcess);return 0;
 
}

int main(void)
{CreateRestrictedProcess("child.exe");return 0;
}
#include <stdio.h>
#include <windows.h>

int main(void)
{     SECURITY_ATTRIBUTES sattr;HANDLE        childstdoutrd,            childstdoutwr,            childstdoutrddup,
file,pipe;PROCESS_INFORMATION pi;STARTUPINFO si;
 
     sattr.nLength = sizeof(SECURITY_ATTRIBUTES);sattr.bInheritHandle = TRUE;sattr.lpSecurityDescriptor = NULL;
SetLastError(0);     if (!CreatePipe(&childstdoutrd, &childstdoutwr, &sattr, 0))           printf("CreatePipe() failed:
%lu\n",GetLastError());       else    puts("ok");
 
CloseHandle(childstdoutrd);     CloseHandle(childstdoutwr);
return 0;
}