diff options
author | Mark Benvenuto <mark.benvenuto@mongodb.com> | 2020-04-10 12:06:44 -0400 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-05-20 06:14:39 +0000 |
commit | 7fa3780e18128492680cb4d693f99479a5061a41 (patch) | |
tree | dc63ab8d704e99b234ae8757feb2612e1164ea27 | |
parent | 04a84eed3ad636e8f9f76b0c48621332e50f8535 (diff) | |
download | mongo-7fa3780e18128492680cb4d693f99479a5061a41.tar.gz |
SERVER-47187 Add startup warning when SeIncreaseWorkingSetPrivilege not present
(cherry picked from commit 905011e695e1886d9fb733f71975a3affe5f4f85)
-rw-r--r-- | src/mongo/db/startup_warnings_common.cpp | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/src/mongo/db/startup_warnings_common.cpp b/src/mongo/db/startup_warnings_common.cpp index 98712cfb5c8..713cfeb45eb 100644 --- a/src/mongo/db/startup_warnings_common.cpp +++ b/src/mongo/db/startup_warnings_common.cpp @@ -42,10 +42,46 @@ #include "mongo/util/log.h" #include "mongo/util/net/ssl_options.h" #include "mongo/util/processinfo.h" +#include "mongo/util/scopeguard.h" #include "mongo/util/version.h" namespace mongo { +#ifdef _WIN32 +bool CheckPrivilegeEnabled(const wchar_t* name) { + LUID luid; + if (!LookupPrivilegeValueW(nullptr, name, &luid)) { + warning() << errnoWithPrefix("Failed to LookupPrivilegeValue"); + return false; + } + + // Get the access token for the current process. + HANDLE accessToken; + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &accessToken)) { + warning() << errnoWithPrefix("Failed to OpenProcessToken"); + return false; + } + + const auto accessTokenGuard = MakeGuard([&] { CloseHandle(accessToken); }); + + BOOL ret; + PRIVILEGE_SET privileges; + privileges.PrivilegeCount = 1; + privileges.Control = PRIVILEGE_SET_ALL_NECESSARY; + + privileges.Privilege[0].Luid = luid; + privileges.Privilege[0].Attributes = 0; + + if (!PrivilegeCheck(accessToken, &privileges, &ret)) { + warning() << errnoWithPrefix("Failed to PrivilegeCheck"); + return false; + } + + return ret; +} + +#endif + // // system warnings // @@ -112,6 +148,17 @@ void logCommonStartupWarnings(const ServerGlobalParams& serverParams) { } #endif +#ifdef _WIN32 + if (!CheckPrivilegeEnabled(SE_INC_WORKING_SET_NAME)) { + log() + << "** WARNING: SeIncreaseWorkingSetPrivilege privilege is not granted to the process." + << startupWarningsLog; + log() << "** Secure memory allocation for SCRAM and/or Encrypted Storage Engine " + "may fail." + << startupWarningsLog; + } +#endif + #if !defined(_WIN32) if (getuid() == 0) { log() << "** WARNING: You are running this process as the root user, " |