Re: lowering pg_regress privileges on Windows

Michael Paquier <michael@paquier.xyz>

From: Michael Paquier <michael@paquier.xyz>
To: Andrew Dunstan <andrew.dunstan@2ndquadrant.com>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>, Thomas Munro <thomas.munro@enterprisedb.com>
Date: 2018-10-19T00:13:41Z
Lists: pgsql-hackers
On Thu, Oct 18, 2018 at 08:31:11AM -0400, Andrew Dunstan wrote:
> The attached ridiculously tiny patch solves the problem whereby while we can
> run Postgres on Windows safely from an Administrator account, we can't run
> run the regression tests from the same account, since it fails on the
> tablespace test, the tablespace directory having been set up without first
> having lowered privileges. The solution is to lower pg_regress' privileges
> in the same way that we do with other binaries. This is useful in setups
> like Appveyor where running under any other account is ... difficult. For
> the cfbot Thomas has had to make the script hack the schedule file to omit
> the tablespace test. This would make that redundant.
> 
> I propose to backpatch this. It's close enough to a bug and the risk is
> almost infinitely small.

+1.  get_restricted_token() refactoring has been done down to
REL9_5_STABLE.  With 9.4 and older you would need to copy again this
full routine into pg_regress.c, which is in my opinion not worth
worrying about.
--
Michael

Commits

  1. Lower privilege level of programs calling regression_main