On 5 April 2017 at 10:37, Tsunakawa, Takayuki
> Good point! And I said earlier in this thread, I think managing privileges
> (adding/revoking privileges from the user account) is the DBA's or sysadmin's
> duty, and PG's removing all privileges feels overkill.
I think it's a sensible alternative to refusing to run as a highly
privileged role, which is what we used to do IIRC.
> OTOH, I tried again to leave the DISABLE_MAX_PRIVILEGE as is and add Lock
> Pages in Memory, using the attached pg_ctl.c. Please see
> EnableLockPagesPrivilege() and its call site. But pg_ctl -w start fails
> emitting the following message:
That won't work. You'd have to pass 0 to the flags of
CreateRestrictedToken and instead supply a PrivilegesToDelete array.
You'd probably GetTokenInformation and AND with a mask of ones you
wanted to retain.
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Sent via pgsql-hackers mailing list (firstname.lastname@example.org)
To make changes to your subscription: