Yes. It should not be installer issue as installer is using pg_ctl to register and run the service on Windows. Thanks.
Best Regards, Muhammad Asif Naeem On Tue, Oct 29, 2013 at 9:57 AM, Sandeep Thakkar < sandeep.thak...@enterprisedb.com> wrote: > So, this is not an installer issue. Is this bug raised to the PostgreSQL > community? If yes, you should submit the patch there. > > > On Tue, Oct 29, 2013 at 6:23 AM, Naoya Anzai < > anzai-na...@mxu.nes.nec.co.jp> wrote: > >> Hi, Asif >> >> Thank you for providing my patch (pg_ctl.c.patch) to Sandeep on my behalf. >> >> > Good finding. I have attached another version of patch >> (pg_ctl.c_windows_vulnerability.patch) attached that has fewer lines of >> code changes, can you please take a look ?. Thanks. >> >> I think your patch is not sufficient to fix. >> Not only "pg_ctl.exe" but "postgres.exe" also have the same problem. >> Even if your patch is attached, >> A Path of "postgres.exe" passed to CreateRestrictedProcess is not >> enclosed in quotation.(See pgwin32_ServiceMain at pg_ctl.c) >> >> So, processing enclosed in quotation should do in both conditions. >> >> Regards, >> Naoya >> >> --- >> Naoya Anzai >> Engineering Department >> NEC Soft, Ltd. >> E-Mail: anzai-na...@mxu.nes.nec.co.jp >> --- >> >> >> > Hi Sandeep, >> > >> > PFA Naoya's patch (pg_ctl.c.patch). >> > >> > Hi Naoya, >> > >> > Good finding. I have attached another version of patch >> (pg_ctl.c_windows_vulnerability.patch) attached that has fewer lines of >> code changes, can you please take a look ?. Thanks. >> > >> > Best Regards, >> > Asif Naeem >> > >> > >> > On Mon, Oct 28, 2013 at 4:46 PM, Sandeep Thakkar < >> sandeep.thak...@enterprisedb.com> wrote: >> > >> > >> > Hi Dave >> > >> > We register the service using pg_ctl. When I manually executed >> the following on the command prompt, I saw that the service path of the >> registered service did not have the pg_ctl.exe path in quotes. May be it >> should be handled in the pg_ctl code. >> > >> > c:\Users\Sandeep Thakkar\Documents>"c:\Program >> Files\PostgreSQL\9.3\bin\pg_ctl.e >> > xe" register -N "pg-9.3" -U "NT AUTHORITY\NetworkService" -D >> "c:\Program Files\P >> > ostgreSQL\9.3\data" -w >> > >> > Naoya, I could not find your patch here. Can you please share it >> again? >> > >> > >> > >> > On Mon, Oct 28, 2013 at 2:53 PM, Dave Page <dp...@pgadmin.org> >> wrote: >> > >> > >> > Sandeep, can you look at this please? Thanks. >> > >> > On Mon, Oct 28, 2013 at 8:18 AM, Asif Naeem < >> anaeem...@gmail.com> wrote: >> > > It is related to windows unquoted service path >> vulnerability in the the >> > > installer that creates service path without quotes that >> make service.exe to >> > > look for undesirable path for executable. >> > > >> > > postgresql-9.3 service path : >> C:/Users/asif/Desktop/Program >> > > files/9.3/bin/pg_ctl.exe runservice -N "postgresql-9.3" >> -D >> > > "C:/Users/asif/Desktop/Program files/9.3/data" -w >> > > >> > > service.exe >> > >> >> > >> C:\Users\asif\Desktop\Program NAME NOT FOUND >> > >> C:\Users\asif\Desktop\Program.exe NAME NOT FOUND >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> ACCESS DENIED >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> ACCESS DENIED >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice NAME >> > >> NOT FOUND >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice.exe >> > >> NAME NOT FOUND >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice -N >> > >> NAME NOT FOUND >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice -N.exe >> > >> NAME NOT FOUND >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice -N >> > >> "postgresql-9.3" NAME INVALID >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice -N >> > >> "postgresql-9.3".exe NAME INVALID >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice -N >> > >> "postgresql-9.3" -D NAME INVALID >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice -N >> > >> "postgresql-9.3" -D.exe NAME INVALID >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice -N >> > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program >> NAME INVALID >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice -N >> > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program.exe >> NAME INVALID >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice -N >> > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program >> files\9.3\data" NAME >> > >> INVALID >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice -N >> > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program >> files\9.3\data".exe >> > >> NAME INVALID >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice -N >> > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program >> files\9.3\data" -w >> > >> NAME INVALID >> > >> C:\Users\asif\Desktop\Program files\9.3\bin\pg_ctl.exe >> runservice -N >> > >> "postgresql-9.3" -D "C:\Users\asif\Desktop\Program >> files\9.3\data" -w.exe >> > >> NAME INVALID >> > > >> > > >> > > Fix : >> > > >> > > postgresql-9.3 service path : >> "C:/Users/asif/Desktop/Program >> > > files/9.3/bin/pg_ctl.exe" runservice -N >> "postgresql-9.3" -D >> > > "C:/Users/asif/Desktop/Program files/9.3/data" -w >> > > >> > > It would be good if this is reported on pg installer >> forum or security >> > > forum. Thanks. >> > > >> > > Regards, >> > > Asif Naeem >> > > >> > > On Mon, Oct 28, 2013 at 12:06 PM, Naoya Anzai >> > > <anzai-na...@mxu.nes.nec.co.jp> wrote: >> > >> >> > >> Hi, Asif. >> > >> >> > >> Thank you for response. >> > >> >> > >> >> > >> > C:\Users\asif\Desktop\Program >> files\9.3>"bin\pg_ctl" -D >> > >> > "C:\Users\asif\Desktop\Program files\9.3\data1" -l >> logfile start >> > >> > server starting >> > >> >> > >> This failure does not occur by the command line. >> > >> PostgreSQL needs to start by Windows Service. >> > >> >> > >> Additionally,In this case, >> > >> A file "Program" needs to be exist at >> "C:\Users\asif\Desktop\", and >> > >> "postgres.exe" needs to be exist at >> "C:\Users\asif\Desktop\Program >> > >> files\9.3\bin". >> > >> ------------ >> > >> C:\Users\asif\Desktop\Program files\9.3\bin>dir >> > >> ... >> > >> 4,435,456 postgres.exe >> > >> 80,896 pg_ctl.exe >> > >> ... >> > >> >> > >> C:\Users\asif\Desktopp>dir >> > >> ... >> > >> 0 Program >> > >> <DIR> Program files >> > >> ... >> > >> ------------ >> > >> >> > >> Regards, >> > >> Naoya >> > >> >> > >> > Hi Naoya, >> > >> > >> > >> > I am not able to reproduce the problem. Do you mean >> pg windows service >> > >> > installed by installer is not working or bin\pg_ctl >> binary is not accepting >> > >> > spaces in the patch ?. Following worked for me i.e. >> > >> > >> > >> > >> > >> > C:\Users\asif\Desktop\Program >> files\9.3>"bin\pg_ctl" -D >> > >> > "C:\Users\asif\Desktop\Program files\9.3\data1" -l >> logfile start >> > >> > server starting >> > >> > >> > >> > >> > >> > Can you please share the exact steps ?. Thanks. >> > >> > >> > >> > >> > >> > Regards, >> > >> > Muhammad Asif Naeem >> > >> > >> > >> > >> > >> > >> > >> > On Mon, Oct 28, 2013 at 10:26 AM, Naoya Anzai >> > >> > <anzai-na...@mxu.nes.nec.co.jp> wrote: >> > >> > >> > >> > >> > >> > Hi All, >> > >> > >> > >> > I have found a case that PostgreSQL Service >> does not start. >> > >> > When it happens, the following error appears. >> > >> > >> > >> > "is not a valid Win32 application" >> > >> > >> > >> > This failure occurs when the following >> conditions are true. >> > >> > >> > >> > 1. There is "postgres.exe" in any directory >> that contains a space, >> > >> > such as "Program Files". >> > >> > >> > >> > e.g.) >> > >> > C:\Program Files\PostgreSQL\bin\postgres.exe >> > >> > >> > >> > 2. A file using the first white space-delimited >> > >> > tokens of that directory as the file name >> exists, >> > >> > and there is it in the same hierarchy. >> > >> > >> > >> > e.g.) >> > >> > C:\Program //file >> > >> > >> > >> > "pg_ctl.exe" as PostgreSQL Service creates a >> postgres >> > >> > process using an absolute path which indicates >> the >> > >> > location of "postgres.exe",but the path is not >> enclosed >> > >> > in quotation. >> > >> > >> > >> > Therefore,if the above-mentioned conditions >> are true, >> > >> > CreateProcessAsUser(a Windows Function called >> by pg_ctl.exe) >> > >> > tries to create a process using the other file >> such >> > >> > as "Program", so the service fails to start. >> > >> > >> > >> > Accordingly, I think that the command path >> should be >> > >> > enclosed in quotation. >> > >> > >> > >> > I created a patch to fix this failure, >> > >> > So could anyone confirm? >> > >> > >> > >> > Regards, >> > >> > >> > >> > Naoya >> > >> > >> > >> > --- >> > >> > Naoya Anzai >> > >> > Engineering Department >> > >> > NEC Soft, Ltd. >> > >> > E-Mail: anzai-na...@mxu.nes.nec.co.jp >> > >> > --- >> > >> > >> > >> > >> > >> > -- >> > >> > Sent via pgsql-hackers mailing list ( >> pgsql-hackers@postgresql.org) >> > >> > To make changes to your subscription: >> > >> > >> http://www.postgresql.org/mailpref/pgsql-hackers >> > >> > >> > >> > >> > >> > >> > >> > >> > >> >> >> > >> > >> > -- >> > Dave Page >> > Blog: http://pgsnake.blogspot.com >> > Twitter: @pgsnake >> > >> > EnterpriseDB UK: http://www.enterprisedb.com >> > The Enterprise PostgreSQL Company >> > >> > >> > >> > >> > >> > -- >> > >> > Sandeep Thakkar >> > Senior Software Engineer >> > >> > >> > Phone: +91.20.30589505 <tel:%2B91.20.30589505> >> > >> > Website: www.enterprisedb.com >> > EnterpriseDB Blog: http://blogs.enterprisedb.com/ >> > Follow us on Twitter: http://www.twitter.com/enterprisedb >> > >> > >> > >> > >> > >> > >> >> >> >> > > > -- > Sandeep Thakkar > Senior Software Engineer > > > Phone: +91.20.30589505 > > > Website: www.enterprisedb.com > EnterpriseDB Blog: http://blogs.enterprisedb.com/ > Follow us on Twitter: http://www.twitter.com/enterprisedb > >
