LCOV - code coverage report
Current view: top level - src/common - exec.c (source / functions) Hit Total Coverage
Test: PostgreSQL 17devel Lines: 74 111 66.7 %
Date: 2024-03-29 04:11:22 Functions: 8 8 100.0 %
Legend: Lines: hit not hit

          Line data    Source code
       1             : /*-------------------------------------------------------------------------
       2             :  *
       3             :  * exec.c
       4             :  *      Functions for finding and validating executable files
       5             :  *
       6             :  *
       7             :  * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
       8             :  * Portions Copyright (c) 1994, Regents of the University of California
       9             :  *
      10             :  *
      11             :  * IDENTIFICATION
      12             :  *    src/common/exec.c
      13             :  *
      14             :  *-------------------------------------------------------------------------
      15             :  */
      16             : 
      17             : /*
      18             :  * On macOS, "man realpath" avers:
      19             :  *    Defining _DARWIN_C_SOURCE or _DARWIN_BETTER_REALPATH before including
      20             :  *    stdlib.h will cause the provided implementation of realpath() to use
      21             :  *    F_GETPATH from fcntl(2) to discover the path.
      22             :  * This should be harmless everywhere else.
      23             :  */
      24             : #define _DARWIN_BETTER_REALPATH
      25             : 
      26             : #ifndef FRONTEND
      27             : #include "postgres.h"
      28             : #else
      29             : #include "postgres_fe.h"
      30             : #endif
      31             : 
      32             : #include <signal.h>
      33             : #include <sys/stat.h>
      34             : #include <sys/wait.h>
      35             : #include <unistd.h>
      36             : 
      37             : #ifdef EXEC_BACKEND
      38             : #if defined(HAVE_SYS_PERSONALITY_H)
      39             : #include <sys/personality.h>
      40             : #elif defined(HAVE_SYS_PROCCTL_H)
      41             : #include <sys/procctl.h>
      42             : #endif
      43             : #endif
      44             : 
      45             : #include "common/string.h"
      46             : 
      47             : /* Inhibit mingw CRT's auto-globbing of command line arguments */
      48             : #if defined(WIN32) && !defined(_MSC_VER)
      49             : extern int  _CRT_glob = 0;      /* 0 turns off globbing; 1 turns it on */
      50             : #endif
      51             : 
      52             : /*
      53             :  * Hacky solution to allow expressing both frontend and backend error reports
      54             :  * in one macro call.  First argument of log_error is an errcode() call of
      55             :  * some sort (ignored if FRONTEND); the rest are errmsg_internal() arguments,
      56             :  * i.e. message string and any parameters for it.
      57             :  *
      58             :  * Caller must provide the gettext wrapper around the message string, if
      59             :  * appropriate, so that it gets translated in the FRONTEND case; this
      60             :  * motivates using errmsg_internal() not errmsg().  We handle appending a
      61             :  * newline, if needed, inside the macro, so that there's only one translatable
      62             :  * string per call not two.
      63             :  */
      64             : #ifndef FRONTEND
      65             : #define log_error(errcodefn, ...) \
      66             :     ereport(LOG, (errcodefn, errmsg_internal(__VA_ARGS__)))
      67             : #else
      68             : #define log_error(errcodefn, ...) \
      69             :     (fprintf(stderr, __VA_ARGS__), fputc('\n', stderr))
      70             : #endif
      71             : 
      72             : static int  normalize_exec_path(char *path);
      73             : static char *pg_realpath(const char *fname);
      74             : 
      75             : #ifdef WIN32
      76             : static BOOL GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser);
      77             : #endif
      78             : 
      79             : /*
      80             :  * validate_exec -- validate "path" as an executable file
      81             :  *
      82             :  * returns 0 if the file is found and no error is encountered.
      83             :  *        -1 if the regular file "path" does not exist or cannot be executed.
      84             :  *        -2 if the file is otherwise valid but cannot be read.
      85             :  * in the failure cases, errno is set appropriately
      86             :  */
      87             : int
      88       31108 : validate_exec(const char *path)
      89             : {
      90             :     struct stat buf;
      91             :     int         is_r;
      92             :     int         is_x;
      93             : 
      94             : #ifdef WIN32
      95             :     char        path_exe[MAXPGPATH + sizeof(".exe") - 1];
      96             : 
      97             :     /* Win32 requires a .exe suffix for stat() */
      98             :     if (strlen(path) < strlen(".exe") ||
      99             :         pg_strcasecmp(path + strlen(path) - strlen(".exe"), ".exe") != 0)
     100             :     {
     101             :         strlcpy(path_exe, path, sizeof(path_exe) - 4);
     102             :         strcat(path_exe, ".exe");
     103             :         path = path_exe;
     104             :     }
     105             : #endif
     106             : 
     107             :     /*
     108             :      * Ensure that the file exists and is a regular file.
     109             :      *
     110             :      * XXX if you have a broken system where stat() looks at the symlink
     111             :      * instead of the underlying file, you lose.
     112             :      */
     113       31108 :     if (stat(path, &buf) < 0)
     114           0 :         return -1;
     115             : 
     116       31108 :     if (!S_ISREG(buf.st_mode))
     117             :     {
     118             :         /*
     119             :          * POSIX offers no errno code that's simply "not a regular file".  If
     120             :          * it's a directory we can use EISDIR.  Otherwise, it's most likely a
     121             :          * device special file, and EPERM (Operation not permitted) isn't too
     122             :          * horribly off base.
     123             :          */
     124           0 :         errno = S_ISDIR(buf.st_mode) ? EISDIR : EPERM;
     125           0 :         return -1;
     126             :     }
     127             : 
     128             :     /*
     129             :      * Ensure that the file is both executable and readable (required for
     130             :      * dynamic loading).
     131             :      */
     132             : #ifndef WIN32
     133       31108 :     is_r = (access(path, R_OK) == 0);
     134       31108 :     is_x = (access(path, X_OK) == 0);
     135             :     /* access() will set errno if it returns -1 */
     136             : #else
     137             :     is_r = buf.st_mode & S_IRUSR;
     138             :     is_x = buf.st_mode & S_IXUSR;
     139             :     errno = EACCES;             /* appropriate thing if we return nonzero */
     140             : #endif
     141       31108 :     return is_x ? (is_r ? 0 : -2) : -1;
     142             : }
     143             : 
     144             : 
     145             : /*
     146             :  * find_my_exec -- find an absolute path to this program's executable
     147             :  *
     148             :  *  argv0 is the name passed on the command line
     149             :  *  retpath is the output area (must be of size MAXPGPATH)
     150             :  *  Returns 0 if OK, -1 if error.
     151             :  *
     152             :  * The reason we have to work so hard to find an absolute path is that
     153             :  * on some platforms we can't do dynamic loading unless we know the
     154             :  * executable's location.  Also, we need an absolute path not a relative
     155             :  * path because we may later change working directory.  Finally, we want
     156             :  * a true path not a symlink location, so that we can locate other files
     157             :  * that are part of our installation relative to the executable.
     158             :  */
     159             : int
     160       29348 : find_my_exec(const char *argv0, char *retpath)
     161             : {
     162             :     char       *path;
     163             : 
     164             :     /*
     165             :      * If argv0 contains a separator, then PATH wasn't used.
     166             :      */
     167       29348 :     strlcpy(retpath, argv0, MAXPGPATH);
     168       29348 :     if (first_dir_separator(retpath) != NULL)
     169             :     {
     170       21436 :         if (validate_exec(retpath) == 0)
     171       21436 :             return normalize_exec_path(retpath);
     172             : 
     173           0 :         log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE),
     174             :                   _("invalid binary \"%s\": %m"), retpath);
     175           0 :         return -1;
     176             :     }
     177             : 
     178             : #ifdef WIN32
     179             :     /* Win32 checks the current directory first for names without slashes */
     180             :     if (validate_exec(retpath) == 0)
     181             :         return normalize_exec_path(retpath);
     182             : #endif
     183             : 
     184             :     /*
     185             :      * Since no explicit path was supplied, the user must have been relying on
     186             :      * PATH.  We'll search the same PATH.
     187             :      */
     188        7912 :     if ((path = getenv("PATH")) && *path)
     189             :     {
     190        7912 :         char       *startp = NULL,
     191        7912 :                    *endp = NULL;
     192             : 
     193             :         do
     194             :         {
     195        7912 :             if (!startp)
     196        7912 :                 startp = path;
     197             :             else
     198           0 :                 startp = endp + 1;
     199             : 
     200        7912 :             endp = first_path_var_separator(startp);
     201        7912 :             if (!endp)
     202           0 :                 endp = startp + strlen(startp); /* point to end */
     203             : 
     204        7912 :             strlcpy(retpath, startp, Min(endp - startp + 1, MAXPGPATH));
     205             : 
     206        7912 :             join_path_components(retpath, retpath, argv0);
     207        7912 :             canonicalize_path(retpath);
     208             : 
     209        7912 :             switch (validate_exec(retpath))
     210             :             {
     211        7912 :                 case 0:         /* found ok */
     212        7912 :                     return normalize_exec_path(retpath);
     213           0 :                 case -1:        /* wasn't even a candidate, keep looking */
     214           0 :                     break;
     215           0 :                 case -2:        /* found but disqualified */
     216           0 :                     log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE),
     217             :                               _("could not read binary \"%s\": %m"),
     218             :                               retpath);
     219           0 :                     break;
     220             :             }
     221           0 :         } while (*endp);
     222             :     }
     223             : 
     224           0 :     log_error(errcode(ERRCODE_UNDEFINED_FILE),
     225             :               _("could not find a \"%s\" to execute"), argv0);
     226           0 :     return -1;
     227             : }
     228             : 
     229             : 
     230             : /*
     231             :  * normalize_exec_path - resolve symlinks and convert to absolute path
     232             :  *
     233             :  * Given a path that refers to an executable, chase through any symlinks
     234             :  * to find the real file location; then convert that to an absolute path.
     235             :  *
     236             :  * On success, replaces the contents of "path" with the absolute path.
     237             :  * ("path" is assumed to be of size MAXPGPATH.)
     238             :  * Returns 0 if OK, -1 if error.
     239             :  */
     240             : static int
     241       29348 : normalize_exec_path(char *path)
     242             : {
     243             :     /*
     244             :      * We used to do a lot of work ourselves here, but now we just let
     245             :      * realpath(3) do all the heavy lifting.
     246             :      */
     247       29348 :     char       *abspath = pg_realpath(path);
     248             : 
     249       29348 :     if (abspath == NULL)
     250             :     {
     251           0 :         log_error(errcode_for_file_access(),
     252             :                   _("could not resolve path \"%s\" to absolute form: %m"),
     253             :                   path);
     254           0 :         return -1;
     255             :     }
     256       29348 :     strlcpy(path, abspath, MAXPGPATH);
     257       29348 :     free(abspath);
     258             : 
     259             : #ifdef WIN32
     260             :     /* On Windows, be sure to convert '\' to '/' */
     261             :     canonicalize_path(path);
     262             : #endif
     263             : 
     264       29348 :     return 0;
     265             : }
     266             : 
     267             : 
     268             : /*
     269             :  * pg_realpath() - realpath(3) with POSIX.1-2008 semantics
     270             :  *
     271             :  * This is equivalent to realpath(fname, NULL), in that it returns a
     272             :  * malloc'd buffer containing the absolute path equivalent to fname.
     273             :  * On error, returns NULL with errno set.
     274             :  *
     275             :  * On Windows, what you get is spelled per platform conventions,
     276             :  * so you probably want to apply canonicalize_path() to the result.
     277             :  *
     278             :  * For now, this is needed only here so mark it static.  If you choose to
     279             :  * move it into its own file, move the _DARWIN_BETTER_REALPATH #define too!
     280             :  */
     281             : static char *
     282       29348 : pg_realpath(const char *fname)
     283             : {
     284             :     char       *path;
     285             : 
     286             : #ifndef WIN32
     287       29348 :     path = realpath(fname, NULL);
     288       29348 :     if (path == NULL && errno == EINVAL)
     289             :     {
     290             :         /*
     291             :          * Cope with old-POSIX systems that require a user-provided buffer.
     292             :          * Assume MAXPGPATH is enough room on all such systems.
     293             :          */
     294           0 :         char       *buf = malloc(MAXPGPATH);
     295             : 
     296           0 :         if (buf == NULL)
     297           0 :             return NULL;        /* assume errno is set */
     298           0 :         path = realpath(fname, buf);
     299           0 :         if (path == NULL)       /* don't leak memory */
     300             :         {
     301           0 :             int         save_errno = errno;
     302             : 
     303           0 :             free(buf);
     304           0 :             errno = save_errno;
     305             :         }
     306             :     }
     307             : #else                           /* WIN32 */
     308             : 
     309             :     /*
     310             :      * Microsoft is resolutely non-POSIX, but _fullpath() does the same thing.
     311             :      * The documentation claims it reports errors by setting errno, which is a
     312             :      * bit surprising for Microsoft, but we'll believe that until it's proven
     313             :      * wrong.  Clear errno first, though, so we can at least tell if a failure
     314             :      * occurs and doesn't set it.
     315             :      */
     316             :     errno = 0;
     317             :     path = _fullpath(NULL, fname, 0);
     318             : #endif
     319             : 
     320       29348 :     return path;
     321             : }
     322             : 
     323             : 
     324             : /*
     325             :  * Find another program in our binary's directory,
     326             :  * then make sure it is the proper version.
     327             :  */
     328             : int
     329        1508 : find_other_exec(const char *argv0, const char *target,
     330             :                 const char *versionstr, char *retpath)
     331             : {
     332             :     char        cmd[MAXPGPATH];
     333             :     char       *line;
     334             : 
     335        1508 :     if (find_my_exec(argv0, retpath) < 0)
     336           0 :         return -1;
     337             : 
     338             :     /* Trim off program name and keep just directory */
     339        1508 :     *last_dir_separator(retpath) = '\0';
     340        1508 :     canonicalize_path(retpath);
     341             : 
     342             :     /* Now append the other program's name */
     343        1508 :     snprintf(retpath + strlen(retpath), MAXPGPATH - strlen(retpath),
     344             :              "/%s%s", target, EXE);
     345             : 
     346        1508 :     if (validate_exec(retpath) != 0)
     347           0 :         return -1;
     348             : 
     349        1508 :     snprintf(cmd, sizeof(cmd), "\"%s\" -V", retpath);
     350             : 
     351        1508 :     if ((line = pipe_read_line(cmd)) == NULL)
     352           0 :         return -1;
     353             : 
     354        1508 :     if (strcmp(line, versionstr) != 0)
     355             :     {
     356           0 :         pfree(line);
     357           0 :         return -2;
     358             :     }
     359             : 
     360        1508 :     pfree(line);
     361        1508 :     return 0;
     362             : }
     363             : 
     364             : 
     365             : /*
     366             :  * Execute a command in a pipe and read the first line from it. The returned
     367             :  * string is palloc'd (malloc'd in frontend code), the caller is responsible
     368             :  * for freeing.
     369             :  */
     370             : char *
     371        1762 : pipe_read_line(char *cmd)
     372             : {
     373             :     FILE       *pipe_cmd;
     374             :     char       *line;
     375             : 
     376        1762 :     fflush(NULL);
     377             : 
     378        1762 :     errno = 0;
     379        1762 :     if ((pipe_cmd = popen(cmd, "r")) == NULL)
     380             :     {
     381           0 :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     382             :                   _("could not execute command \"%s\": %m"), cmd);
     383           0 :         return NULL;
     384             :     }
     385             : 
     386             :     /* Make sure popen() didn't change errno */
     387        1762 :     errno = 0;
     388        1762 :     line = pg_get_line(pipe_cmd, NULL);
     389             : 
     390        1762 :     if (line == NULL)
     391             :     {
     392           0 :         if (ferror(pipe_cmd))
     393           0 :             log_error(errcode_for_file_access(),
     394             :                       _("could not read from command \"%s\": %m"), cmd);
     395             :         else
     396           0 :             log_error(errcode(ERRCODE_NO_DATA),
     397             :                       _("no data was returned by command \"%s\""), cmd);
     398             :     }
     399             : 
     400        1762 :     (void) pclose_check(pipe_cmd);
     401             : 
     402        1762 :     return line;
     403             : }
     404             : 
     405             : 
     406             : /*
     407             :  * pclose() plus useful error reporting
     408             :  */
     409             : int
     410        1924 : pclose_check(FILE *stream)
     411             : {
     412             :     int         exitstatus;
     413             :     char       *reason;
     414             : 
     415        1924 :     exitstatus = pclose(stream);
     416             : 
     417        1924 :     if (exitstatus == 0)
     418        1918 :         return 0;               /* all is well */
     419             : 
     420           6 :     if (exitstatus == -1)
     421             :     {
     422             :         /* pclose() itself failed, and hopefully set errno */
     423           0 :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     424             :                   _("%s() failed: %m"), "pclose");
     425             :     }
     426             :     else
     427             :     {
     428           6 :         reason = wait_result_to_str(exitstatus);
     429           6 :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     430             :                   "%s", reason);
     431           6 :         pfree(reason);
     432             :     }
     433           6 :     return exitstatus;
     434             : }
     435             : 
     436             : /*
     437             :  *  set_pglocale_pgservice
     438             :  *
     439             :  *  Set application-specific locale and service directory
     440             :  *
     441             :  *  This function takes the value of argv[0] rather than a full path.
     442             :  *
     443             :  * (You may be wondering why this is in exec.c.  It requires this module's
     444             :  * services and doesn't introduce any new dependencies, so this seems as
     445             :  * good as anyplace.)
     446             :  */
     447             : void
     448       25108 : set_pglocale_pgservice(const char *argv0, const char *app)
     449             : {
     450             :     char        path[MAXPGPATH];
     451             :     char        my_exec_path[MAXPGPATH];
     452             : 
     453             :     /* don't set LC_ALL in the backend */
     454       25108 :     if (strcmp(app, PG_TEXTDOMAIN("postgres")) != 0)
     455             :     {
     456       22030 :         setlocale(LC_ALL, "");
     457             : 
     458             :         /*
     459             :          * One could make a case for reproducing here PostmasterMain()'s test
     460             :          * for whether the process is multithreaded.  Unlike the postmaster,
     461             :          * no frontend program calls sigprocmask() or otherwise provides for
     462             :          * mutual exclusion between signal handlers.  While frontends using
     463             :          * fork(), if multithreaded, are formally exposed to undefined
     464             :          * behavior, we have not witnessed a concrete bug.  Therefore,
     465             :          * complaining about multithreading here may be mere pedantry.
     466             :          */
     467             :     }
     468             : 
     469       25108 :     if (find_my_exec(argv0, my_exec_path) < 0)
     470           0 :         return;
     471             : 
     472             : #ifdef ENABLE_NLS
     473       25108 :     get_locale_path(my_exec_path, path);
     474       25108 :     bindtextdomain(app, path);
     475       25108 :     textdomain(app);
     476             :     /* set for libpq to use, but don't override existing setting */
     477       25108 :     setenv("PGLOCALEDIR", path, 0);
     478             : #endif
     479             : 
     480       25108 :     if (getenv("PGSYSCONFDIR") == NULL)
     481             :     {
     482       18730 :         get_etc_path(my_exec_path, path);
     483             :         /* set for libpq to use */
     484       18730 :         setenv("PGSYSCONFDIR", path, 0);
     485             :     }
     486             : }
     487             : 
     488             : #ifdef EXEC_BACKEND
     489             : /*
     490             :  * For the benefit of PostgreSQL developers testing EXEC_BACKEND on Unix
     491             :  * systems (code paths normally exercised only on Windows), provide a way to
     492             :  * disable address space layout randomization, if we know how on this platform.
     493             :  * Otherwise, backends may fail to attach to shared memory at the fixed address
     494             :  * chosen by the postmaster.  (See also the macOS-specific hack in
     495             :  * sysv_shmem.c.)
     496             :  */
     497             : int
     498             : pg_disable_aslr(void)
     499             : {
     500             : #if defined(HAVE_SYS_PERSONALITY_H)
     501             :     return personality(ADDR_NO_RANDOMIZE);
     502             : #elif defined(HAVE_SYS_PROCCTL_H) && defined(PROC_ASLR_FORCE_DISABLE)
     503             :     int         data = PROC_ASLR_FORCE_DISABLE;
     504             : 
     505             :     return procctl(P_PID, 0, PROC_ASLR_CTL, &data);
     506             : #else
     507             :     errno = ENOSYS;
     508             :     return -1;
     509             : #endif
     510             : }
     511             : #endif
     512             : 
     513             : #ifdef WIN32
     514             : 
     515             : /*
     516             :  * AddUserToTokenDacl(HANDLE hToken)
     517             :  *
     518             :  * This function adds the current user account to the restricted
     519             :  * token used when we create a restricted process.
     520             :  *
     521             :  * This is required because of some security changes in Windows
     522             :  * that appeared in patches to XP/2K3 and in Vista/2008.
     523             :  *
     524             :  * On these machines, the Administrator account is not included in
     525             :  * the default DACL - you just get Administrators + System. For
     526             :  * regular users you get User + System. Because we strip Administrators
     527             :  * when we create the restricted token, we are left with only System
     528             :  * in the DACL which leads to access denied errors for later CreatePipe()
     529             :  * and CreateProcess() calls when running as Administrator.
     530             :  *
     531             :  * This function fixes this problem by modifying the DACL of the
     532             :  * token the process will use, and explicitly re-adding the current
     533             :  * user account.  This is still secure because the Administrator account
     534             :  * inherits its privileges from the Administrators group - it doesn't
     535             :  * have any of its own.
     536             :  */
     537             : BOOL
     538             : AddUserToTokenDacl(HANDLE hToken)
     539             : {
     540             :     int         i;
     541             :     ACL_SIZE_INFORMATION asi;
     542             :     ACCESS_ALLOWED_ACE *pace;
     543             :     DWORD       dwNewAclSize;
     544             :     DWORD       dwSize = 0;
     545             :     DWORD       dwTokenInfoLength = 0;
     546             :     PACL        pacl = NULL;
     547             :     PTOKEN_USER pTokenUser = NULL;
     548             :     TOKEN_DEFAULT_DACL tddNew;
     549             :     TOKEN_DEFAULT_DACL *ptdd = NULL;
     550             :     TOKEN_INFORMATION_CLASS tic = TokenDefaultDacl;
     551             :     BOOL        ret = FALSE;
     552             : 
     553             :     /* Figure out the buffer size for the DACL info */
     554             :     if (!GetTokenInformation(hToken, tic, (LPVOID) NULL, dwTokenInfoLength, &dwSize))
     555             :     {
     556             :         if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
     557             :         {
     558             :             ptdd = (TOKEN_DEFAULT_DACL *) LocalAlloc(LPTR, dwSize);
     559             :             if (ptdd == NULL)
     560             :             {
     561             :                 log_error(errcode(ERRCODE_OUT_OF_MEMORY),
     562             :                           _("out of memory"));
     563             :                 goto cleanup;
     564             :             }
     565             : 
     566             :             if (!GetTokenInformation(hToken, tic, (LPVOID) ptdd, dwSize, &dwSize))
     567             :             {
     568             :                 log_error(errcode(ERRCODE_SYSTEM_ERROR),
     569             :                           "could not get token information: error code %lu",
     570             :                           GetLastError());
     571             :                 goto cleanup;
     572             :             }
     573             :         }
     574             :         else
     575             :         {
     576             :             log_error(errcode(ERRCODE_SYSTEM_ERROR),
     577             :                       "could not get token information buffer size: error code %lu",
     578             :                       GetLastError());
     579             :             goto cleanup;
     580             :         }
     581             :     }
     582             : 
     583             :     /* Get the ACL info */
     584             :     if (!GetAclInformation(ptdd->DefaultDacl, (LPVOID) &asi,
     585             :                            (DWORD) sizeof(ACL_SIZE_INFORMATION),
     586             :                            AclSizeInformation))
     587             :     {
     588             :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     589             :                   "could not get ACL information: error code %lu",
     590             :                   GetLastError());
     591             :         goto cleanup;
     592             :     }
     593             : 
     594             :     /* Get the current user SID */
     595             :     if (!GetTokenUser(hToken, &pTokenUser))
     596             :         goto cleanup;           /* callee printed a message */
     597             : 
     598             :     /* Figure out the size of the new ACL */
     599             :     dwNewAclSize = asi.AclBytesInUse + sizeof(ACCESS_ALLOWED_ACE) +
     600             :         GetLengthSid(pTokenUser->User.Sid) - sizeof(DWORD);
     601             : 
     602             :     /* Allocate the ACL buffer & initialize it */
     603             :     pacl = (PACL) LocalAlloc(LPTR, dwNewAclSize);
     604             :     if (pacl == NULL)
     605             :     {
     606             :         log_error(errcode(ERRCODE_OUT_OF_MEMORY),
     607             :                   _("out of memory"));
     608             :         goto cleanup;
     609             :     }
     610             : 
     611             :     if (!InitializeAcl(pacl, dwNewAclSize, ACL_REVISION))
     612             :     {
     613             :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     614             :                   "could not initialize ACL: error code %lu", GetLastError());
     615             :         goto cleanup;
     616             :     }
     617             : 
     618             :     /* Loop through the existing ACEs, and build the new ACL */
     619             :     for (i = 0; i < (int) asi.AceCount; i++)
     620             :     {
     621             :         if (!GetAce(ptdd->DefaultDacl, i, (LPVOID *) &pace))
     622             :         {
     623             :             log_error(errcode(ERRCODE_SYSTEM_ERROR),
     624             :                       "could not get ACE: error code %lu", GetLastError());
     625             :             goto cleanup;
     626             :         }
     627             : 
     628             :         if (!AddAce(pacl, ACL_REVISION, MAXDWORD, pace, ((PACE_HEADER) pace)->AceSize))
     629             :         {
     630             :             log_error(errcode(ERRCODE_SYSTEM_ERROR),
     631             :                       "could not add ACE: error code %lu", GetLastError());
     632             :             goto cleanup;
     633             :         }
     634             :     }
     635             : 
     636             :     /* Add the new ACE for the current user */
     637             :     if (!AddAccessAllowedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE, GENERIC_ALL, pTokenUser->User.Sid))
     638             :     {
     639             :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     640             :                   "could not add access allowed ACE: error code %lu",
     641             :                   GetLastError());
     642             :         goto cleanup;
     643             :     }
     644             : 
     645             :     /* Set the new DACL in the token */
     646             :     tddNew.DefaultDacl = pacl;
     647             : 
     648             :     if (!SetTokenInformation(hToken, tic, (LPVOID) &tddNew, dwNewAclSize))
     649             :     {
     650             :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     651             :                   "could not set token information: error code %lu",
     652             :                   GetLastError());
     653             :         goto cleanup;
     654             :     }
     655             : 
     656             :     ret = TRUE;
     657             : 
     658             : cleanup:
     659             :     if (pTokenUser)
     660             :         LocalFree((HLOCAL) pTokenUser);
     661             : 
     662             :     if (pacl)
     663             :         LocalFree((HLOCAL) pacl);
     664             : 
     665             :     if (ptdd)
     666             :         LocalFree((HLOCAL) ptdd);
     667             : 
     668             :     return ret;
     669             : }
     670             : 
     671             : /*
     672             :  * GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser)
     673             :  *
     674             :  * Get the users token information from a process token.
     675             :  *
     676             :  * The caller of this function is responsible for calling LocalFree() on the
     677             :  * returned TOKEN_USER memory.
     678             :  */
     679             : static BOOL
     680             : GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser)
     681             : {
     682             :     DWORD       dwLength;
     683             : 
     684             :     *ppTokenUser = NULL;
     685             : 
     686             :     if (!GetTokenInformation(hToken,
     687             :                              TokenUser,
     688             :                              NULL,
     689             :                              0,
     690             :                              &dwLength))
     691             :     {
     692             :         if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
     693             :         {
     694             :             *ppTokenUser = (PTOKEN_USER) LocalAlloc(LPTR, dwLength);
     695             : 
     696             :             if (*ppTokenUser == NULL)
     697             :             {
     698             :                 log_error(errcode(ERRCODE_OUT_OF_MEMORY),
     699             :                           _("out of memory"));
     700             :                 return FALSE;
     701             :             }
     702             :         }
     703             :         else
     704             :         {
     705             :             log_error(errcode(ERRCODE_SYSTEM_ERROR),
     706             :                       "could not get token information buffer size: error code %lu",
     707             :                       GetLastError());
     708             :             return FALSE;
     709             :         }
     710             :     }
     711             : 
     712             :     if (!GetTokenInformation(hToken,
     713             :                              TokenUser,
     714             :                              *ppTokenUser,
     715             :                              dwLength,
     716             :                              &dwLength))
     717             :     {
     718             :         LocalFree(*ppTokenUser);
     719             :         *ppTokenUser = NULL;
     720             : 
     721             :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     722             :                   "could not get token information: error code %lu",
     723             :                   GetLastError());
     724             :         return FALSE;
     725             :     }
     726             : 
     727             :     /* Memory in *ppTokenUser is LocalFree():d by the caller */
     728             :     return TRUE;
     729             : }
     730             : 
     731             : #endif

Generated by: LCOV version 1.14