Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22272

windows installer - run service unter virtual service account

    XMLWordPrintable

    Details

      Description

      Windows 7 introduced virtual accounts for services, NT SERVICE\service_name
      they are low-privilege, do not need to be created (i.e they exist when service is created),have no password, and in kerberos envronment run as UPN machine account.
      Overall, it is pretty much the same as NETWORK SERVICE account we used that far.

      However, virtual accounts have better "granularity" than NETWORK SERVICE.

      • File access control is better (one mariadb service does not access files from another service).
      • Also privilege assignment if needed can be done per-user(per-service).
        For example, to use large pages, one can give NT SERVICE\MariaDB SeLockMemoryPrivilege.
        (See MDEV-22175). If we ever decide to use symbolic links, this privilege can be given to the service as well.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              wlad Vladislav Vaintroub
              Reporter:
              wlad Vladislav Vaintroub
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: