Fix check for whether postmaster is running as a Windows service.

If postmaster is launched with a restricted security token, with the
"Log in as Service" privilege explicitly removed, the token will contain
SECURITY_SERVICE_RID with the SE_GROUP_USE_FOR_DENY_ONLY flag, and without
the SE_GROUP_ENABLED flag. pgwin32_is_service() was fooled by that, and
thought that it's running as a service. Fix to check for the
SE_GROUP_ENABLED flag, like we do in pgwin32_is_admin().

 by Michael Paquier, per Breen Hagan's report and analysis. Back
to all supported versions.

Bug: #13755
Discussion: <20151104062315[email protected]>

diff --git a/src/port/win32security.c b/src/port/win32security.c
index 2c9ca15a6d91de663c47b67de513ccc825a17785..d5a7346aca584a4c7c145c795661f706147c698b 100644 (file)
--- a/src/port/win32security.c
+++ b/src/port/win32security.c
@@ -218,7 +218,8 @@ pgwin32_is_service(void)
        _is_service = 0;
        for (x = 0; x < Groups->GroupCount; x++)
        {
-               if (EqualSid(ServiceSid, Groups->Groups[x].Sid))
+               if (EqualSid(ServiceSid, Groups->Groups[x].Sid) &&
+                       (Groups->Groups[x].Attributes & SE_GROUP_ENABLED))
                {
                        _is_service = 1;
                        break;