Hi,
From: Yoshiyuki Asaba <[EMAIL PROTECTED]>
Subject: [HACKERS] initdb failed on Windows 2000
Date: Mon, 27 Aug 2007 20:46:35 +0900 (JST)
> I have compiled PostgreSQL 8.2.4 with MinGW on Windows 2000. Then I
> have executed initdb as Administrator. However initdb failed with the
> following message.
>
> ----
> The program "postgres" is needed by initdb but was not found in the
> same directory as "C:\msys\1.0\local\pgsql\bin/initdb".
> Check your installation.
> ----
>
> So, I have debugged initdb.exe. I found that CreatePipe() was failed
> with ERROR_ACCESS_DENIED in exec.c:pipe_read_line().
The attached files are test programs.
% gcc -o child.exe child.c
% gcc -o parent.exe parent.c
When parent.exe is executed by Power Users or Users, the result is
good. However, CreatePipe() is failed when Administrator do.
% ./parent.exe
CreatePipe() failed: 5
Regards,
--
Yoshiyuki Asaba
[EMAIL PROTECTED]
#include <stdio.h>
#include <windows.h>
typedef BOOL(WINAPI * __CreateRestrictedToken) (HANDLE, DWORD, DWORD,
PSID_AND_ATTRIBUTES, DWORD, PLUID_AND_ATTRIBUTES, DWORD, PSID_AND_ATTRIBUTES,
PHANDLE);
#define DISABLE_MAX_PRIVILEGE 0x1
/*
* Create a restricted token and execute the specified process with it.
*
* Returns 0 on failure, non-zero on success, same as CreateProcess().
*
* On NT4, or any other system not containing the required functions, will
* NOT execute anything.
*/
static int
CreateRestrictedProcess(char *cmd)
{
BOOL b;
STARTUPINFO si;
HANDLE origToken;
HANDLE restrictedToken;
SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};
SID_AND_ATTRIBUTES dropSids[2];
__CreateRestrictedToken _CreateRestrictedToken = NULL;
HANDLE Advapi32Handle;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
Advapi32Handle = LoadLibrary("ADVAPI32.DLL");
if (Advapi32Handle != NULL)
{
_CreateRestrictedToken = (__CreateRestrictedToken)
GetProcAddress(Advapi32Handle, "CreateRestrictedToken");
}
if (_CreateRestrictedToken == NULL)
{
fprintf(stderr, "WARNING: Unable to create restricted tokens on
this platform\n");
if (Advapi32Handle != NULL)
FreeLibrary(Advapi32Handle);
return 0;
}
/* Open the current token to use as a base for the restricted one */
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS,
&origToken))
{
fprintf(stderr, "Failed to open process token: %lu\n",
GetLastError());
return 0;
}
/* Allocate list of SIDs to remove */
ZeroMemory(&dropSids, sizeof(dropSids));
if (!AllocateAndInitializeSid(&NtAuthority, 2,
SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0,
0, 0,
0,
&dropSids[0].Sid) ||
!AllocateAndInitializeSid(&NtAuthority, 2,
SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_POWER_USERS, 0, 0, 0, 0,
0,
0,
&dropSids[1].Sid))
{
fprintf(stderr, "Failed to allocate SIDs: %lu\n",
GetLastError());
return 0;
}
b = _CreateRestrictedToken(origToken,
DISABLE_MAX_PRIVILEGE,
sizeof(dropSids) /
sizeof(dropSids[0]),
dropSids,
0, NULL,
0, NULL,
&restrictedToken);
FreeSid(dropSids[1].Sid);
FreeSid(dropSids[0].Sid);
CloseHandle(origToken);
FreeLibrary(Advapi32Handle);
if (!b)
{
fprintf(stderr, "Failed to create restricted token: %lu\n",
GetLastError());
return 0;
}
CreateProcessAsUser(restrictedToken, NULL, cmd, NULL, NULL, TRUE, 0,
NULL, NULL, &si, &pi);
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return 0;
}
int main(void)
{
CreateRestrictedProcess("child.exe");
return 0;
}
#include <stdio.h>
#include <windows.h>
int main(void)
{
SECURITY_ATTRIBUTES sattr;
HANDLE childstdoutrd,
childstdoutwr,
childstdoutrddup, file, pipe;
PROCESS_INFORMATION pi;
STARTUPINFO si;
sattr.nLength = sizeof(SECURITY_ATTRIBUTES);
sattr.bInheritHandle = TRUE;
sattr.lpSecurityDescriptor = NULL;
SetLastError(0);
if (!CreatePipe(&childstdoutrd, &childstdoutwr, &sattr, 0))
printf("CreatePipe() failed: %lu\n", GetLastError());
else
puts("ok");
CloseHandle(childstdoutrd);
CloseHandle(childstdoutwr);
return 0;
}
---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster
