Participants
Sandeep Thakkar
Sandeep Thakkar
PG Bug reporting form
PG Bug reporting form
M Fysh
M Fysh
Attachments
Show all attachments
Thread Outline
#1PG Bug reporting formPG Bug reporting form
Apr 15, 2020
#2Sandeep ThakkarSandeep Thakkarto PG Bug reporting form (#1)
Apr 20, 2020
#3M FyshM Fyshto Sandeep Thakkar (#2)
Apr 24, 2020
#4Sandeep ThakkarSandeep Thakkarto M Fysh (#3)
Apr 27, 2020

BUG #16364: ICACLS error when installing under system context "NT AUTHORITY\SYSTEM" ie installing with SCCM

Started by PG Bug reporting formabout 6 years ago4 messagesbugs
Jump to latest
#1PG Bug reporting form
PG Bug reporting form
noreply@postgresql.org

The following bug has been logged on the website:

Bug reference: 16364
Logged by: MF
Email address: m_fysh@hotmail.com
PostgreSQL version: 12.2
Operating system: Windows 10
Description:

ICACLS error when installing under system context "NT AUTHORITY\SYSTEM" ie
installing with SCCM

System context has no user profile, the installer tries to set security
permissions to domain\hostname
The first call to icacls removes inheritance
C:\WINDOWS\System32\icacls "C:\Windows\Temp/postgresql_installer_9283e94fc0"
/inheritance:r

The next call adds permissions for domain\hostname$ (this should be "NT
AUTHORITY\SYSTEM" or "hostname\Administrators")
Executing C:\WINDOWS\System32\icacls
"C:\Windows\Temp/postgresql_installer_9283e94fc0" /T /Q /grant
"COR\Txxx6767$:(OI)(CI)F"

At that point the permissions on the folder have changed but the installer
no longer has access to the folder contents
So the next step fails
Error running C:\WINDOWS\System32\icacls
"C:\Windows\Temp/postgresql_installer_9283e94fc0" /T /Q /grant
"CORP\TM10336767$:(OI)(CI)F":
C:\Windows\Temp/postgresql_installer_9283e94fc0\*: Access is denied.

To reproduce the error use the Sysinternals tool
Open a cmd windows as admin the run
psexec.exe -s -i cmd
This will open a new CMD window in System context. install PostgreSQL

When installing as just and ADMIN user (with profile)
Executing icacls
"C:\Users\USER_adm\AppData\Local\Temp/postgresql_installer_57a6af5619"
/inheritance:r
the user is still the owner of the folder so can still make changes to it.

Note you are now adding the current user domain\user in the next call to
icacls.exe
Executing icacls
"C:\Users\USER_adm\AppData\Local\Temp/postgresql_installer_57a6af5619" /T /Q
/grant "COR\USER_adm:(OI)(CI)F"
So an Admin User install will work
But a System install will not.

I tried this will 12.2.2, 12.2.1, 10.12.2

#2Sandeep Thakkar
Sandeep Thakkar
sandeep.thakkar@enterprisedb.com
In reply to: PG Bug reporting form (#1)
Re: BUG #16364: ICACLS error when installing under system context "NT AUTHORITY\SYSTEM" ie installing with SCCM

Hi,

This is a duplicate of BUG #16341.

We have generated a "test" installer with the fix for v11 and uploaded it
here
<https://drive.google.com/file/d/1XTQo9C3ZEwQ7KuwOXmwBhC3FE77-chAP/view&gt;.
Could you please verify if it fixes the issue? If it does, then we would
release an update for all affected versions. Thank you.

On Wed, Apr 15, 2020 at 2:35 PM PG Bug reporting form <
noreply@postgresql.org> wrote:

The following bug has been logged on the website:

Bug reference: 16364
Logged by: MF
Email address: m_fysh@hotmail.com
PostgreSQL version: 12.2
Operating system: Windows 10
Description:

ICACLS error when installing under system context "NT AUTHORITY\SYSTEM" ie
installing with SCCM

System context has no user profile, the installer tries to set security
permissions to domain\hostname
The first call to icacls removes inheritance
C:\WINDOWS\System32\icacls
"C:\Windows\Temp/postgresql_installer_9283e94fc0"
/inheritance:r

The next call adds permissions for domain\hostname$ (this should be "NT
AUTHORITY\SYSTEM" or "hostname\Administrators")
Executing C:\WINDOWS\System32\icacls
"C:\Windows\Temp/postgresql_installer_9283e94fc0" /T /Q /grant
"COR\Txxx6767$:(OI)(CI)F"

At that point the permissions on the folder have changed but the installer
no longer has access to the folder contents
So the next step fails
Error running C:\WINDOWS\System32\icacls
"C:\Windows\Temp/postgresql_installer_9283e94fc0" /T /Q /grant
"CORP\TM10336767$:(OI)(CI)F":
C:\Windows\Temp/postgresql_installer_9283e94fc0\*: Access is denied.

To reproduce the error use the Sysinternals tool
Open a cmd windows as admin the run
psexec.exe -s -i cmd
This will open a new CMD window in System context. install PostgreSQL

When installing as just and ADMIN user (with profile)
Executing icacls
"C:\Users\USER_adm\AppData\Local\Temp/postgresql_installer_57a6af5619"
/inheritance:r
the user is still the owner of the folder so can still make changes to it.

Note you are now adding the current user domain\user in the next call to
icacls.exe
Executing icacls
"C:\Users\USER_adm\AppData\Local\Temp/postgresql_installer_57a6af5619" /T
/Q
/grant "COR\USER_adm:(OI)(CI)F"
So an Admin User install will work
But a System install will not.

I tried this will 12.2.2, 12.2.1, 10.12.2

--
Sandeep Thakkar

#3M Fysh
M Fysh
m_fysh@hotmail.com
In reply to: Sandeep Thakkar (#2)
Re: BUG #16364: ICACLS error when installing under system context "NT AUTHORITY\SYSTEM" ie installing with SCCM

Thank you for the quick response.
I have tested the fix for V11 and it worked.

Thank you
Michael

________________________________
From: Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>
Sent: Monday, 20 April 2020 7:11 PM
To: m_fysh@hotmail.com <m_fysh@hotmail.com>; pgsql-bugs@lists.postgresql.org <pgsql-bugs@lists.postgresql.org>
Subject: Re: BUG #16364: ICACLS error when installing under system context "NT AUTHORITY\SYSTEM" ie installing with SCCM

Hi,

This is a duplicate of BUG #16341.

We have generated a "test" installer with the fix for v11 and uploaded it here<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1XTQo9C3ZEwQ7KuwOXmwBhC3FE77-chAP%2Fview&amp;data=02%7C01%7C%7C53a3af4acd514412f21a08d7e50ad25a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637229706954243674&amp;sdata=rk3MogVB52rSiYIff2DgV9aPwekt0liQ%2BdLJ0Wi%2Fczg%3D&amp;reserved=0&gt;. Could you please verify if it fixes the issue? If it does, then we would release an update for all affected versions. Thank you.

On Wed, Apr 15, 2020 at 2:35 PM PG Bug reporting form <noreply@postgresql.org<mailto:noreply@postgresql.org>> wrote:
The following bug has been logged on the website:

Bug reference: 16364
Logged by: MF
Email address: m_fysh@hotmail.com<mailto:m_fysh@hotmail.com>
PostgreSQL version: 12.2
Operating system: Windows 10
Description:

ICACLS error when installing under system context "NT AUTHORITY\SYSTEM" ie
installing with SCCM

System context has no user profile, the installer tries to set security
permissions to domain\hostname
The first call to icacls removes inheritance
C:\WINDOWS\System32\icacls "C:\Windows\Temp/postgresql_installer_9283e94fc0"
/inheritance:r

The next call adds permissions for domain\hostname$ (this should be "NT
AUTHORITY\SYSTEM" or "hostname\Administrators")
Executing C:\WINDOWS\System32\icacls
"C:\Windows\Temp/postgresql_installer_9283e94fc0" /T /Q /grant
"COR\Txxx6767$:(OI)(CI)F"

At that point the permissions on the folder have changed but the installer
no longer has access to the folder contents
So the next step fails
Error running C:\WINDOWS\System32\icacls
"C:\Windows\Temp/postgresql_installer_9283e94fc0" /T /Q /grant
"CORP\TM10336767$:(OI)(CI)F":
C:\Windows\Temp/postgresql_installer_9283e94fc0\*: Access is denied.

To reproduce the error use the Sysinternals tool
Open a cmd windows as admin the run
psexec.exe -s -i cmd
This will open a new CMD window in System context. install PostgreSQL

When installing as just and ADMIN user (with profile)
Executing icacls
"C:\Users\USER_adm\AppData\Local\Temp/postgresql_installer_57a6af5619"
/inheritance:r
the user is still the owner of the folder so can still make changes to it.

Note you are now adding the current user domain\user in the next call to
icacls.exe
Executing icacls
"C:\Users\USER_adm\AppData\Local\Temp/postgresql_installer_57a6af5619" /T /Q
/grant "COR\USER_adm:(OI)(CI)F"
So an Admin User install will work
But a System install will not.

I tried this will 12.2.2, 12.2.1, 10.12.2

--
Sandeep Thakkar

#4Sandeep Thakkar
Sandeep Thakkar
sandeep.thakkar@enterprisedb.com
In reply to: M Fysh (#3)
Re: BUG #16364: ICACLS error when installing under system context "NT AUTHORITY\SYSTEM" ie installing with SCCM

Thank you for verifying the test installer. The updated version (11.7-4) is
now available for download.

On Fri, Apr 24, 2020 at 5:49 AM M Fysh <m_fysh@hotmail.com> wrote:

Thank you for the quick response.
I have tested the fix for V11 and it worked.

Thank you
Michael

------------------------------
*From:* Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>
*Sent:* Monday, 20 April 2020 7:11 PM
*To:* m_fysh@hotmail.com <m_fysh@hotmail.com>;
pgsql-bugs@lists.postgresql.org <pgsql-bugs@lists.postgresql.org>
*Subject:* Re: BUG #16364: ICACLS error when installing under system
context "NT AUTHORITY\SYSTEM" ie installing with SCCM

Hi,

This is a duplicate of BUG #16341.

We have generated a "test" installer with the fix for v11 and uploaded it
here
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1XTQo9C3ZEwQ7KuwOXmwBhC3FE77-chAP%2Fview&amp;data=02%7C01%7C%7C53a3af4acd514412f21a08d7e50ad25a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637229706954243674&amp;sdata=rk3MogVB52rSiYIff2DgV9aPwekt0liQ%2BdLJ0Wi%2Fczg%3D&amp;reserved=0&gt;.
Could you please verify if it fixes the issue? If it does, then we would
release an update for all affected versions. Thank you.

On Wed, Apr 15, 2020 at 2:35 PM PG Bug reporting form <
noreply@postgresql.org> wrote:

The following bug has been logged on the website:

Bug reference: 16364
Logged by: MF
Email address: m_fysh@hotmail.com
PostgreSQL version: 12.2
Operating system: Windows 10
Description:

ICACLS error when installing under system context "NT AUTHORITY\SYSTEM" ie
installing with SCCM

System context has no user profile, the installer tries to set security
permissions to domain\hostname
The first call to icacls removes inheritance
C:\WINDOWS\System32\icacls
"C:\Windows\Temp/postgresql_installer_9283e94fc0"
/inheritance:r

The next call adds permissions for domain\hostname$ (this should be "NT
AUTHORITY\SYSTEM" or "hostname\Administrators")
Executing C:\WINDOWS\System32\icacls
"C:\Windows\Temp/postgresql_installer_9283e94fc0" /T /Q /grant
"COR\Txxx6767$:(OI)(CI)F"

At that point the permissions on the folder have changed but the installer
no longer has access to the folder contents
So the next step fails
Error running C:\WINDOWS\System32\icacls
"C:\Windows\Temp/postgresql_installer_9283e94fc0" /T /Q /grant
"CORP\TM10336767$:(OI)(CI)F":
C:\Windows\Temp/postgresql_installer_9283e94fc0\*: Access is denied.

To reproduce the error use the Sysinternals tool
Open a cmd windows as admin the run
psexec.exe -s -i cmd
This will open a new CMD window in System context. install PostgreSQL

When installing as just and ADMIN user (with profile)
Executing icacls
"C:\Users\USER_adm\AppData\Local\Temp/postgresql_installer_57a6af5619"
/inheritance:r
the user is still the owner of the folder so can still make changes to it.

Note you are now adding the current user domain\user in the next call to
icacls.exe
Executing icacls
"C:\Users\USER_adm\AppData\Local\Temp/postgresql_installer_57a6af5619" /T
/Q
/grant "COR\USER_adm:(OI)(CI)F"
So an Admin User install will work
But a System install will not.

I tried this will 12.2.2, 12.2.1, 10.12.2

--
Sandeep Thakkar

--
Sandeep Thakkar

← Back to Topics