On 5 April 2017 at 10:37, Tsunakawa, Takayuki
<tsunakawa.ta...@jp.fujitsu.com> wrote:

> Good point!  And I said earlier in this thread, I think managing privileges 
> (adding/revoking privileges from the user account) is the DBA's or sysadmin's 
> duty, and PG's removing all privileges feels overkill.

I think it's a sensible alternative to refusing to run as a highly
privileged role, which is what we used to do IIRC.

> OTOH, I tried again to leave the DISABLE_MAX_PRIVILEGE as is and add Lock 
> Pages in Memory, using the attached pg_ctl.c.  Please see 
> EnableLockPagesPrivilege() and its call site.  But pg_ctl -w start fails 
> emitting the following message:

That won't work. You'd have to pass 0 to the flags of
CreateRestrictedToken and instead supply a PrivilegesToDelete array.
You'd probably GetTokenInformation and AND with a mask of ones you
wanted to retain.

 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to