Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-47187

Add startup warning when SeIncreaseWorkingSetPrivilege not present

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 4.2.5, 4.0.17
    • Fix Version/s: 4.0.19, 4.2.8, 4.4.0-rc5, 4.7.0
    • Component/s: None
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Backport Requested:
      v4.4, v4.2, v4.0
    • Sprint:
      Security 2020-04-20
    • Case:

      Description

      SERVER-23705 added code to enable the SeIncreaseWorkingSetPrivilege privilege for the mongod process on Windows.

      If the server is running a locked down configuration, mongod is denied the privilege grant and the following warning is logged to stdout only during startup:

      2020-03-26T16:03:35.664+1100 W -        [main] Failed to adjust token privilege for privilege 'SeIncreaseWorkingSetPrivilege'
      

      The log message can be easily missed, and if encryption at rest is in use the following fassert() can be easily hit after 10's of databases are loaded:

      2020-03-18T07:32:00.387+0800 F -        [conn301] Failed to SetProcessWorkingSetSizeEx: A required privilege is not held by the client.
      2020-03-18T07:32:00.387+0800 F -        [conn301] Fatal Assertion 40286 at src\mongo\base\secure_allocator.cpp 154
      

      It would be good to log a startup warning that the required privilege is not available for use, so that the Windows system configuration can be corrected.

        Attachments

          Activity

            People

            Assignee:
            mark.benvenuto Mark Benvenuto
            Reporter:
            john.murphy John Murphy
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: