Re: BUG #16341: Installation with EnterpriseDB Community installer in NT AUTHORITY\SYSTEM context not possible

Hi, thank you for your reply. I answered below your comments.

On Fri, Apr 3, 2020 at 7:47 PM PG Bug reporting form <noreply@postgresql.org> wrote:

The following bug has been logged on the website:

Bug reference:      16341
Logged by:          Enrico La Torre
Email address:      pg.dba.iit.team@gmail.com
PostgreSQL version: 9.6.17
Operating system:   Windows Server 2016
Description:       

Hi,

it could be that the same bug was reported in
https://www.postgresql.org/message-id/16001-fa33ba75a039fc7d%40postgresql.org
, but nobody answered until today.

It is impossible for me to install PostgreSQL 9.6.17 with the EnterpriseDB
installer (free Community Edition) on Windows Server 2016 in the security
context of NT AUTHORITY\SYSTEM.

Can you elaborate this please?

I use psexec.exe from the Sysinternals Suite to get a PowerShell cmd shell in NT AUTHORITY\SYSTEM context. whoami returns 'nt authority\system'.

If I then start the installer with '.\postgresql-9.6.17-1-windows-x64.exe' the interactive installer starts and returns the given error message. To be precise, only the logo of EnterpriseDB is shown and then the error message appears.

Usually we call the installer in the unattended mode in our scripts but it even fails in the interactive mode now. So I ruled out any error with the argument list of the installer call.

 

If I start the installer with a regular
domain admin account, which is also local administrator, the installer
starts. 

OK

 

I receive the error message:
"Error running icacls "C:\Windows\Temp/postgresql_installer_ca555e4059" /T
/Q /grant "<DOMAIN>/<COMPUTERNAME>$:(OI)(CI)F":
C:\Windows\Temp/postgresql_installer_ca555e4059\*: Access is denied"

I disclaimed The log file of the installer
'C:\Windows\Temp\install-postgresql.log' is never written.

There must be files starting with bitrock*

The file 'C:\Windows\Temp\bitrock_installer.log' shows (I also attached the file to this mail):

Log started 04/06/2020 at 15:51:53

Preferred installation mode : qt

Trying to init installer in mode qt

Mode qt successfully initialized

Executing icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1" /inheritance:r

Script exit code: 0

Script output:

 processed file: C:\Windows\Temp/postgresql_installer_f37cf0f7f1

Successfully processed 1 files; Failed processing 0 files

Script stderr:

 

Executing icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1" /T /Q /grant "ALDI-199\911-092STL01$:(OI)(CI)F"

Script exit code: 5

Script output:

 Successfully processed 1 files; Failed processing 1 files

Script stderr:

 C:\Windows\Temp/postgresql_installer_f37cf0f7f1\*: Access is denied.

Error running icacls "C:\Windows\Temp/postgresql_installer_f37cf0f7f1" /T /Q /grant "ALDI-199\911-092STL01$:(OI)(CI)F": C:\Windows\Temp/postgresql_installer_f37cf0f7f1\*: Access is denied.

Cannot delete file C:/Windows/Temp/postgresql_installer_f37cf0f7f1

Exiting with code 1

 

SYSTEM has FULL CONTROL for 'C:\Windows\Temp'. Created directories in this
directory by SYSTEM inherit FULL CONTROL from the parent. But if I check the
temporary directory '.\postgresql_installer_ca555e4059' I see that the
inheritance is disabled for this particular directory. Only the principal
named <DOMAIN>/<COMPUTERNAME>$ has FULL CONTROL not SYSTEM.

Sure, once I receive the logs I may ask you to get the ACLs for some directories which will give us more clues.

 

The same issue is also true for PostgreSQL 12.2. The last time this
procedure worked that I know is with the installer for PostgreSQL 9.6.12.

Kind regards

Am Mo., 6. Apr. 2020 um 14:27 Uhr schrieb Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>:

Hi,

On Fri, Apr 3, 2020 at 7:47 PM PG Bug reporting form <noreply@postgresql.org> wrote:

The following bug has been logged on the website:

Bug reference:      16341
Logged by:          Enrico La Torre
Email address:      pg.dba.iit.team@gmail.com
PostgreSQL version: 9.6.17
Operating system:   Windows Server 2016
Description:       

Hi,

it could be that the same bug was reported in
https://www.postgresql.org/message-id/16001-fa33ba75a039fc7d%40postgresql.org
, but nobody answered until today.

It is impossible for me to install PostgreSQL 9.6.17 with the EnterpriseDB
installer (free Community Edition) on Windows Server 2016 in the security
context of NT AUTHORITY\SYSTEM.

Can you elaborate this please?

 

If I start the installer with a regular
domain admin account, which is also local administrator, the installer
starts. 

OK

 

I receive the error message:
"Error running icacls "C:\Windows\Temp/postgresql_installer_ca555e4059" /T
/Q /grant "<DOMAIN>/<COMPUTERNAME>$:(OI)(CI)F":
C:\Windows\Temp/postgresql_installer_ca555e4059\*: Access is denied"

I disclaimed The log file of the installer
'C:\Windows\Temp\install-postgresql.log' is never written.

There must be files starting with bitrock*

 

SYSTEM has FULL CONTROL for 'C:\Windows\Temp'. Created directories in this
directory by SYSTEM inherit FULL CONTROL from the parent. But if I check the
temporary directory '.\postgresql_installer_ca555e4059' I see that the
inheritance is disabled for this particular directory. Only the principal
named <DOMAIN>/<COMPUTERNAME>$ has FULL CONTROL not SYSTEM.

Sure, once I receive the logs I may ask you to get the ACLs for some directories which will give us more clues.

 

The same issue is also true for PostgreSQL 12.2. The last time this
procedure worked that I know is with the installer for PostgreSQL 9.6.12.

Kind regards

--

Sandeep Thakkar