Re: Supporting huge pages on Windows

From: Craig Ringer [mailto:craig.ringer@2ndquadrant.com]
> TBH, anyone who cares about security and runs Win7 or Win2k8 or newer should
> be using virtual service accounts and managed service accounts.
> 
> https://technet.microsoft.com/en-us/library/dd548356
> 
> 
> Those are more like Unix service accounts. Notably they don't need a password,
> getting rid of some of the management pain that led us to abandon the
> 'postgres' system user on Windows.
> 
> Now that older platforms are EoL and even the oldest that added this feature
> are also near EoL or in extended maintenance, I think installers should
> switch to these by default instead of using NETWORK SERVICE.
> 
> Then the issue of priv dropping would be a lesser concern anyway.

Good point!  And I said earlier in this thread, I think managing privileges (adding/revoking privileges from the user
account)is the DBA's or sysadmin's duty, and PG's removing all privileges feels overkill.
 

OTOH, I tried again to leave the DISABLE_MAX_PRIVILEGE as is and add Lock Pages in Memory, using the attached pg_ctl.c.
Please see EnableLockPagesPrivilege() and its call site.  But pg_ctl -w start fails emitting the following message:
 

error code 1300
waiting for server to start....FATAL:  could not enable "Lock pages in memory" privilege
HINT:  Assign "Lock pages in memory" privilege to the Windows user account which runs PostgreSQL.
LOG:  database system is shut down
 stopped waiting
pg_ctl: could not start server
Examine the log output.

error code 1300 is ERROR_NOT_ALL_ASSIGNED, which means AdjustTokenPrivileges() cound not enable Lock Pages in Memory
privilege. It seems that the privilege cannot be enabled once it was removed with
CreateRestrictedToken(DISABLE_MAX_PRIVILEGE).

Regards
Takayuki Tsunakawa