diff options
author | Mark Benvenuto <mark.benvenuto@mongodb.com> | 2020-04-10 12:06:44 -0400 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-04-10 16:48:01 +0000 |
commit | 905011e695e1886d9fb733f71975a3affe5f4f85 (patch) | |
tree | b3b483ccf01fe41b510ac2cff876da09b1b69d93 /src | |
parent | d51e93a173eefeb0f6a1baa6ed4e9cbed7f35466 (diff) | |
download | mongo-905011e695e1886d9fb733f71975a3affe5f4f85.tar.gz |
SERVER-47187 Add startup warning when SeIncreaseWorkingSetPrivilege not present
Diffstat (limited to 'src')
-rw-r--r-- | src/mongo/db/startup_warnings_common.cpp | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/src/mongo/db/startup_warnings_common.cpp b/src/mongo/db/startup_warnings_common.cpp index 8d59e6b1517..986b854de09 100644 --- a/src/mongo/db/startup_warnings_common.cpp +++ b/src/mongo/db/startup_warnings_common.cpp @@ -46,6 +46,44 @@ namespace mongo { +#ifdef _WIN32 +bool CheckPrivilegeEnabled(const wchar_t* name) { + LUID luid; + if (!LookupPrivilegeValueW(nullptr, name, &luid)) { + auto str = errnoWithPrefix("Failed to LookupPrivilegeValue"); + LOGV2_WARNING(47187001, "{str}", "str"_attr = str); + return false; + } + + // Get the access token for the current process. + HANDLE accessToken; + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &accessToken)) { + auto str = errnoWithPrefix("Failed to OpenProcessToken"); + LOGV2_WARNING(47187002, "{str}", "str"_attr = str); + return false; + } + + const auto accessTokenGuard = makeGuard([&] { CloseHandle(accessToken); }); + + BOOL ret; + PRIVILEGE_SET privileges; + privileges.PrivilegeCount = 1; + privileges.Control = PRIVILEGE_SET_ALL_NECESSARY; + + privileges.Privilege[0].Luid = luid; + privileges.Privilege[0].Attributes = 0; + + if (!PrivilegeCheck(accessToken, &privileges, &ret)) { + auto str = errnoWithPrefix("Failed to PrivilegeCheck"); + LOGV2_WARNING(47187003, "{str}", "str"_attr = str); + return false; + } + + return ret; +} + +#endif + // // system warnings // @@ -127,6 +165,16 @@ void logCommonStartupWarnings(const ServerGlobalParams& serverParams) { } #endif +#ifdef _WIN32 + if (!CheckPrivilegeEnabled(SE_INC_WORKING_SET_NAME)) { + LOGV2_OPTIONS( + 47187004, + {logv2::LogTag::kStartupWarnings}, + "SeIncreaseWorkingSetPrivilege privilege is not granted to the process. Secure memory " + "allocation for SCRAM and/or Encrypted Storage Engine may fail."); + } +#endif + #if !defined(_WIN32) if (getuid() == 0) { LOGV2_WARNING_OPTIONS( |