On 2017-04-05 04:25:41 +0000, Tsunakawa, Takayuki wrote:
> From: Craig Ringer [mailto:craig.ringer@2ndquadrant.com]
> > On 5 April 2017 at 10:37, Tsunakawa, Takayuki
> > <tsunakawa.takay@jp.fujitsu.com> wrote:
> >
> > OTOH, I tried again to leave the DISABLE_MAX_PRIVILEGE as is and add Lock
> > Pages in Memory, using the attached pg_ctl.c. Please see
> > EnableLockPagesPrivilege() and its call site. But pg_ctl -w start fails
> > emitting the following message:
> >
> > That won't work. You'd have to pass 0 to the flags of CreateRestrictedToken
> > and instead supply a PrivilegesToDelete array.
> > You'd probably GetTokenInformation and AND with a mask of ones you wanted
> > to retain.
>
> Uh, that's inconvenient. We can't determine what privileges to delete, and we must be aware of new privileges added
inthe future version of Windows.
>
> Then, I have to say the last patch (v12) is the final answer.
As I asked before, why can't we delete all privs and add the explicitly
needed once back (using AdjustTokenPrivileges)?
- Andres