Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22272

windows installer - run service unter virtual service account

    XMLWordPrintable

Details

    Description

      Windows 7 introduced virtual accounts for services, NT SERVICE\service_name
      they are low-privilege, do not need to be created (i.e they exist when service is created),have no password, and in kerberos envronment run as UPN machine account.
      Overall, it is pretty much the same as NETWORK SERVICE account we used that far.

      However, virtual accounts have better "granularity" than NETWORK SERVICE.

      • File access control is better (one mariadb service does not access files from another service).
      • Also privilege assignment if needed can be done per-user(per-service).
        For example, to use large pages, one can give NT SERVICE\MariaDB SeLockMemoryPrivilege.
        (See MDEV-22175). If we ever decide to use symbolic links, this privilege can be given to the service as well.

      Attachments

        Issue Links

          blocks

          Technical task - A technical task. MDEV-22175 windows installer - create SeLockMemoryPrivilege for Service account

          • Major - Major loss of function.
          • Closed

          Activity

            People

              wlad Vladislav Vaintroub
              wlad Vladislav Vaintroub
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.