LCOV - code coverage report
Current view: top level - src/common - exec.c (source / functions) Hit Total Coverage
Test: PostgreSQL 18devel Lines: 73 102 71.6 %
Date: 2024-12-12 16:15:21 Functions: 8 8 100.0 %
Legend: Lines: hit not hit

          Line data    Source code
       1             : /*-------------------------------------------------------------------------
       2             :  *
       3             :  * exec.c
       4             :  *      Functions for finding and validating executable files
       5             :  *
       6             :  *
       7             :  * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
       8             :  * Portions Copyright (c) 1994, Regents of the University of California
       9             :  *
      10             :  *
      11             :  * IDENTIFICATION
      12             :  *    src/common/exec.c
      13             :  *
      14             :  *-------------------------------------------------------------------------
      15             :  */
      16             : 
      17             : /*
      18             :  * On macOS, "man realpath" avers:
      19             :  *    Defining _DARWIN_C_SOURCE or _DARWIN_BETTER_REALPATH before including
      20             :  *    stdlib.h will cause the provided implementation of realpath() to use
      21             :  *    F_GETPATH from fcntl(2) to discover the path.
      22             :  * This should be harmless everywhere else.
      23             :  */
      24             : #define _DARWIN_BETTER_REALPATH
      25             : 
      26             : #ifndef FRONTEND
      27             : #include "postgres.h"
      28             : #else
      29             : #include "postgres_fe.h"
      30             : #endif
      31             : 
      32             : #include <signal.h>
      33             : #include <sys/stat.h>
      34             : #include <sys/wait.h>
      35             : #include <unistd.h>
      36             : 
      37             : #ifdef EXEC_BACKEND
      38             : #if defined(HAVE_SYS_PERSONALITY_H)
      39             : #include <sys/personality.h>
      40             : #elif defined(HAVE_SYS_PROCCTL_H)
      41             : #include <sys/procctl.h>
      42             : #endif
      43             : #endif
      44             : 
      45             : #include "common/string.h"
      46             : 
      47             : /* Inhibit mingw CRT's auto-globbing of command line arguments */
      48             : #if defined(WIN32) && !defined(_MSC_VER)
      49             : extern int  _CRT_glob = 0;      /* 0 turns off globbing; 1 turns it on */
      50             : #endif
      51             : 
      52             : /*
      53             :  * Hacky solution to allow expressing both frontend and backend error reports
      54             :  * in one macro call.  First argument of log_error is an errcode() call of
      55             :  * some sort (ignored if FRONTEND); the rest are errmsg_internal() arguments,
      56             :  * i.e. message string and any parameters for it.
      57             :  *
      58             :  * Caller must provide the gettext wrapper around the message string, if
      59             :  * appropriate, so that it gets translated in the FRONTEND case; this
      60             :  * motivates using errmsg_internal() not errmsg().  We handle appending a
      61             :  * newline, if needed, inside the macro, so that there's only one translatable
      62             :  * string per call not two.
      63             :  */
      64             : #ifndef FRONTEND
      65             : #define log_error(errcodefn, ...) \
      66             :     ereport(LOG, (errcodefn, errmsg_internal(__VA_ARGS__)))
      67             : #else
      68             : #define log_error(errcodefn, ...) \
      69             :     (fprintf(stderr, __VA_ARGS__), fputc('\n', stderr))
      70             : #endif
      71             : 
      72             : static int  normalize_exec_path(char *path);
      73             : static char *pg_realpath(const char *fname);
      74             : 
      75             : #ifdef WIN32
      76             : static BOOL GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser);
      77             : #endif
      78             : 
      79             : /*
      80             :  * validate_exec -- validate "path" as an executable file
      81             :  *
      82             :  * returns 0 if the file is found and no error is encountered.
      83             :  *        -1 if the regular file "path" does not exist or cannot be executed.
      84             :  *        -2 if the file is otherwise valid but cannot be read.
      85             :  * in the failure cases, errno is set appropriately
      86             :  */
      87             : int
      88       33860 : validate_exec(const char *path)
      89             : {
      90             :     struct stat buf;
      91             :     int         is_r;
      92             :     int         is_x;
      93             : 
      94             : #ifdef WIN32
      95             :     char        path_exe[MAXPGPATH + sizeof(".exe") - 1];
      96             : 
      97             :     /* Win32 requires a .exe suffix for stat() */
      98             :     if (strlen(path) < strlen(".exe") ||
      99             :         pg_strcasecmp(path + strlen(path) - strlen(".exe"), ".exe") != 0)
     100             :     {
     101             :         strlcpy(path_exe, path, sizeof(path_exe) - 4);
     102             :         strcat(path_exe, ".exe");
     103             :         path = path_exe;
     104             :     }
     105             : #endif
     106             : 
     107             :     /*
     108             :      * Ensure that the file exists and is a regular file.
     109             :      *
     110             :      * XXX if you have a broken system where stat() looks at the symlink
     111             :      * instead of the underlying file, you lose.
     112             :      */
     113       33860 :     if (stat(path, &buf) < 0)
     114           0 :         return -1;
     115             : 
     116       33860 :     if (!S_ISREG(buf.st_mode))
     117             :     {
     118             :         /*
     119             :          * POSIX offers no errno code that's simply "not a regular file".  If
     120             :          * it's a directory we can use EISDIR.  Otherwise, it's most likely a
     121             :          * device special file, and EPERM (Operation not permitted) isn't too
     122             :          * horribly off base.
     123             :          */
     124           0 :         errno = S_ISDIR(buf.st_mode) ? EISDIR : EPERM;
     125           0 :         return -1;
     126             :     }
     127             : 
     128             :     /*
     129             :      * Ensure that the file is both executable and readable (required for
     130             :      * dynamic loading).
     131             :      */
     132             : #ifndef WIN32
     133       33860 :     is_r = (access(path, R_OK) == 0);
     134       33860 :     is_x = (access(path, X_OK) == 0);
     135             :     /* access() will set errno if it returns -1 */
     136             : #else
     137             :     is_r = buf.st_mode & S_IRUSR;
     138             :     is_x = buf.st_mode & S_IXUSR;
     139             :     errno = EACCES;             /* appropriate thing if we return nonzero */
     140             : #endif
     141       33860 :     return is_x ? (is_r ? 0 : -2) : -1;
     142             : }
     143             : 
     144             : 
     145             : /*
     146             :  * find_my_exec -- find an absolute path to this program's executable
     147             :  *
     148             :  *  argv0 is the name passed on the command line
     149             :  *  retpath is the output area (must be of size MAXPGPATH)
     150             :  *  Returns 0 if OK, -1 if error.
     151             :  *
     152             :  * The reason we have to work so hard to find an absolute path is that
     153             :  * on some platforms we can't do dynamic loading unless we know the
     154             :  * executable's location.  Also, we need an absolute path not a relative
     155             :  * path because we may later change working directory.  Finally, we want
     156             :  * a true path not a symlink location, so that we can locate other files
     157             :  * that are part of our installation relative to the executable.
     158             :  */
     159             : int
     160       32022 : find_my_exec(const char *argv0, char *retpath)
     161             : {
     162             :     char       *path;
     163             : 
     164             :     /*
     165             :      * If argv0 contains a separator, then PATH wasn't used.
     166             :      */
     167       32022 :     strlcpy(retpath, argv0, MAXPGPATH);
     168       32022 :     if (first_dir_separator(retpath) != NULL)
     169             :     {
     170       23662 :         if (validate_exec(retpath) == 0)
     171       23662 :             return normalize_exec_path(retpath);
     172             : 
     173           0 :         log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE),
     174             :                   _("invalid binary \"%s\": %m"), retpath);
     175           0 :         return -1;
     176             :     }
     177             : 
     178             : #ifdef WIN32
     179             :     /* Win32 checks the current directory first for names without slashes */
     180             :     if (validate_exec(retpath) == 0)
     181             :         return normalize_exec_path(retpath);
     182             : #endif
     183             : 
     184             :     /*
     185             :      * Since no explicit path was supplied, the user must have been relying on
     186             :      * PATH.  We'll search the same PATH.
     187             :      */
     188        8360 :     if ((path = getenv("PATH")) && *path)
     189             :     {
     190        8360 :         char       *startp = NULL,
     191        8360 :                    *endp = NULL;
     192             : 
     193             :         do
     194             :         {
     195        8360 :             if (!startp)
     196        8360 :                 startp = path;
     197             :             else
     198           0 :                 startp = endp + 1;
     199             : 
     200        8360 :             endp = first_path_var_separator(startp);
     201        8360 :             if (!endp)
     202           0 :                 endp = startp + strlen(startp); /* point to end */
     203             : 
     204        8360 :             strlcpy(retpath, startp, Min(endp - startp + 1, MAXPGPATH));
     205             : 
     206        8360 :             join_path_components(retpath, retpath, argv0);
     207        8360 :             canonicalize_path(retpath);
     208             : 
     209        8360 :             switch (validate_exec(retpath))
     210             :             {
     211        8360 :                 case 0:         /* found ok */
     212        8360 :                     return normalize_exec_path(retpath);
     213           0 :                 case -1:        /* wasn't even a candidate, keep looking */
     214           0 :                     break;
     215           0 :                 case -2:        /* found but disqualified */
     216           0 :                     log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE),
     217             :                               _("could not read binary \"%s\": %m"),
     218             :                               retpath);
     219           0 :                     break;
     220             :             }
     221           0 :         } while (*endp);
     222             :     }
     223             : 
     224           0 :     log_error(errcode(ERRCODE_UNDEFINED_FILE),
     225             :               _("could not find a \"%s\" to execute"), argv0);
     226           0 :     return -1;
     227             : }
     228             : 
     229             : 
     230             : /*
     231             :  * normalize_exec_path - resolve symlinks and convert to absolute path
     232             :  *
     233             :  * Given a path that refers to an executable, chase through any symlinks
     234             :  * to find the real file location; then convert that to an absolute path.
     235             :  *
     236             :  * On success, replaces the contents of "path" with the absolute path.
     237             :  * ("path" is assumed to be of size MAXPGPATH.)
     238             :  * Returns 0 if OK, -1 if error.
     239             :  */
     240             : static int
     241       32022 : normalize_exec_path(char *path)
     242             : {
     243             :     /*
     244             :      * We used to do a lot of work ourselves here, but now we just let
     245             :      * realpath(3) do all the heavy lifting.
     246             :      */
     247       32022 :     char       *abspath = pg_realpath(path);
     248             : 
     249       32022 :     if (abspath == NULL)
     250             :     {
     251           0 :         log_error(errcode_for_file_access(),
     252             :                   _("could not resolve path \"%s\" to absolute form: %m"),
     253             :                   path);
     254           0 :         return -1;
     255             :     }
     256       32022 :     strlcpy(path, abspath, MAXPGPATH);
     257       32022 :     free(abspath);
     258             : 
     259             : #ifdef WIN32
     260             :     /* On Windows, be sure to convert '\' to '/' */
     261             :     canonicalize_path(path);
     262             : #endif
     263             : 
     264       32022 :     return 0;
     265             : }
     266             : 
     267             : 
     268             : /*
     269             :  * pg_realpath() - realpath(3) with POSIX.1-2008 semantics
     270             :  *
     271             :  * This is equivalent to realpath(fname, NULL), in that it returns a
     272             :  * malloc'd buffer containing the absolute path equivalent to fname.
     273             :  * On error, returns NULL with errno set.
     274             :  *
     275             :  * On Windows, what you get is spelled per platform conventions,
     276             :  * so you probably want to apply canonicalize_path() to the result.
     277             :  *
     278             :  * For now, this is needed only here so mark it static.  If you choose to
     279             :  * move it into its own file, move the _DARWIN_BETTER_REALPATH #define too!
     280             :  */
     281             : static char *
     282       32022 : pg_realpath(const char *fname)
     283             : {
     284             :     char       *path;
     285             : 
     286             : #ifndef WIN32
     287       32022 :     path = realpath(fname, NULL);
     288             : #else                           /* WIN32 */
     289             : 
     290             :     /*
     291             :      * Microsoft is resolutely non-POSIX, but _fullpath() does the same thing.
     292             :      * The documentation claims it reports errors by setting errno, which is a
     293             :      * bit surprising for Microsoft, but we'll believe that until it's proven
     294             :      * wrong.  Clear errno first, though, so we can at least tell if a failure
     295             :      * occurs and doesn't set it.
     296             :      */
     297             :     errno = 0;
     298             :     path = _fullpath(NULL, fname, 0);
     299             : #endif
     300             : 
     301       32022 :     return path;
     302             : }
     303             : 
     304             : 
     305             : /*
     306             :  * Find another program in our binary's directory,
     307             :  * then make sure it is the proper version.
     308             :  */
     309             : int
     310        1586 : find_other_exec(const char *argv0, const char *target,
     311             :                 const char *versionstr, char *retpath)
     312             : {
     313             :     char        cmd[MAXPGPATH];
     314             :     char       *line;
     315             : 
     316        1586 :     if (find_my_exec(argv0, retpath) < 0)
     317           0 :         return -1;
     318             : 
     319             :     /* Trim off program name and keep just directory */
     320        1586 :     *last_dir_separator(retpath) = '\0';
     321        1586 :     canonicalize_path(retpath);
     322             : 
     323             :     /* Now append the other program's name */
     324        1586 :     snprintf(retpath + strlen(retpath), MAXPGPATH - strlen(retpath),
     325             :              "/%s%s", target, EXE);
     326             : 
     327        1586 :     if (validate_exec(retpath) != 0)
     328           0 :         return -1;
     329             : 
     330        1586 :     snprintf(cmd, sizeof(cmd), "\"%s\" -V", retpath);
     331             : 
     332        1586 :     if ((line = pipe_read_line(cmd)) == NULL)
     333           0 :         return -1;
     334             : 
     335        1586 :     if (strcmp(line, versionstr) != 0)
     336             :     {
     337           0 :         pfree(line);
     338           0 :         return -2;
     339             :     }
     340             : 
     341        1586 :     pfree(line);
     342        1586 :     return 0;
     343             : }
     344             : 
     345             : 
     346             : /*
     347             :  * Execute a command in a pipe and read the first line from it. The returned
     348             :  * string is palloc'd (malloc'd in frontend code), the caller is responsible
     349             :  * for freeing.
     350             :  */
     351             : char *
     352        1840 : pipe_read_line(char *cmd)
     353             : {
     354             :     FILE       *pipe_cmd;
     355             :     char       *line;
     356             : 
     357        1840 :     fflush(NULL);
     358             : 
     359        1840 :     errno = 0;
     360        1840 :     if ((pipe_cmd = popen(cmd, "r")) == NULL)
     361             :     {
     362           0 :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     363             :                   _("could not execute command \"%s\": %m"), cmd);
     364           0 :         return NULL;
     365             :     }
     366             : 
     367             :     /* Make sure popen() didn't change errno */
     368        1840 :     errno = 0;
     369        1840 :     line = pg_get_line(pipe_cmd, NULL);
     370             : 
     371        1840 :     if (line == NULL)
     372             :     {
     373           0 :         if (ferror(pipe_cmd))
     374           0 :             log_error(errcode_for_file_access(),
     375             :                       _("could not read from command \"%s\": %m"), cmd);
     376             :         else
     377           0 :             log_error(errcode(ERRCODE_NO_DATA),
     378             :                       _("no data was returned by command \"%s\""), cmd);
     379             :     }
     380             : 
     381        1840 :     (void) pclose_check(pipe_cmd);
     382             : 
     383        1840 :     return line;
     384             : }
     385             : 
     386             : 
     387             : /*
     388             :  * pclose() plus useful error reporting
     389             :  */
     390             : int
     391        2022 : pclose_check(FILE *stream)
     392             : {
     393             :     int         exitstatus;
     394             :     char       *reason;
     395             : 
     396        2022 :     exitstatus = pclose(stream);
     397             : 
     398        2022 :     if (exitstatus == 0)
     399        2016 :         return 0;               /* all is well */
     400             : 
     401           6 :     if (exitstatus == -1)
     402             :     {
     403             :         /* pclose() itself failed, and hopefully set errno */
     404           0 :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     405             :                   _("%s() failed: %m"), "pclose");
     406             :     }
     407             :     else
     408             :     {
     409           6 :         reason = wait_result_to_str(exitstatus);
     410           6 :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     411             :                   "%s", reason);
     412           6 :         pfree(reason);
     413             :     }
     414           6 :     return exitstatus;
     415             : }
     416             : 
     417             : /*
     418             :  *  set_pglocale_pgservice
     419             :  *
     420             :  *  Set application-specific locale and service directory
     421             :  *
     422             :  *  This function takes the value of argv[0] rather than a full path.
     423             :  *
     424             :  * (You may be wondering why this is in exec.c.  It requires this module's
     425             :  * services and doesn't introduce any new dependencies, so this seems as
     426             :  * good as anyplace.)
     427             :  */
     428             : void
     429       27514 : set_pglocale_pgservice(const char *argv0, const char *app)
     430             : {
     431             :     char        path[MAXPGPATH];
     432             :     char        my_exec_path[MAXPGPATH];
     433             : 
     434             :     /* don't set LC_ALL in the backend */
     435       27514 :     if (strcmp(app, PG_TEXTDOMAIN("postgres")) != 0)
     436             :     {
     437       24222 :         setlocale(LC_ALL, "");
     438             : 
     439             :         /*
     440             :          * One could make a case for reproducing here PostmasterMain()'s test
     441             :          * for whether the process is multithreaded.  Unlike the postmaster,
     442             :          * no frontend program calls sigprocmask() or otherwise provides for
     443             :          * mutual exclusion between signal handlers.  While frontends using
     444             :          * fork(), if multithreaded, are formally exposed to undefined
     445             :          * behavior, we have not witnessed a concrete bug.  Therefore,
     446             :          * complaining about multithreading here may be mere pedantry.
     447             :          */
     448             :     }
     449             : 
     450       27514 :     if (find_my_exec(argv0, my_exec_path) < 0)
     451           0 :         return;
     452             : 
     453             : #ifdef ENABLE_NLS
     454       27514 :     get_locale_path(my_exec_path, path);
     455       27514 :     bindtextdomain(app, path);
     456       27514 :     textdomain(app);
     457             :     /* set for libpq to use, but don't override existing setting */
     458       27514 :     setenv("PGLOCALEDIR", path, 0);
     459             : #endif
     460             : 
     461       27514 :     if (getenv("PGSYSCONFDIR") == NULL)
     462             :     {
     463       20850 :         get_etc_path(my_exec_path, path);
     464             :         /* set for libpq to use */
     465       20850 :         setenv("PGSYSCONFDIR", path, 0);
     466             :     }
     467             : }
     468             : 
     469             : #ifdef EXEC_BACKEND
     470             : /*
     471             :  * For the benefit of PostgreSQL developers testing EXEC_BACKEND on Unix
     472             :  * systems (code paths normally exercised only on Windows), provide a way to
     473             :  * disable address space layout randomization, if we know how on this platform.
     474             :  * Otherwise, backends may fail to attach to shared memory at the fixed address
     475             :  * chosen by the postmaster.  (See also the macOS-specific hack in
     476             :  * sysv_shmem.c.)
     477             :  */
     478             : int
     479             : pg_disable_aslr(void)
     480             : {
     481             : #if defined(HAVE_SYS_PERSONALITY_H)
     482             :     return personality(ADDR_NO_RANDOMIZE);
     483             : #elif defined(HAVE_SYS_PROCCTL_H) && defined(PROC_ASLR_FORCE_DISABLE)
     484             :     int         data = PROC_ASLR_FORCE_DISABLE;
     485             : 
     486             :     return procctl(P_PID, 0, PROC_ASLR_CTL, &data);
     487             : #else
     488             :     errno = ENOSYS;
     489             :     return -1;
     490             : #endif
     491             : }
     492             : #endif
     493             : 
     494             : #ifdef WIN32
     495             : 
     496             : /*
     497             :  * AddUserToTokenDacl(HANDLE hToken)
     498             :  *
     499             :  * This function adds the current user account to the restricted
     500             :  * token used when we create a restricted process.
     501             :  *
     502             :  * This is required because of some security changes in Windows
     503             :  * that appeared in patches to XP/2K3 and in Vista/2008.
     504             :  *
     505             :  * On these machines, the Administrator account is not included in
     506             :  * the default DACL - you just get Administrators + System. For
     507             :  * regular users you get User + System. Because we strip Administrators
     508             :  * when we create the restricted token, we are left with only System
     509             :  * in the DACL which leads to access denied errors for later CreatePipe()
     510             :  * and CreateProcess() calls when running as Administrator.
     511             :  *
     512             :  * This function fixes this problem by modifying the DACL of the
     513             :  * token the process will use, and explicitly re-adding the current
     514             :  * user account.  This is still secure because the Administrator account
     515             :  * inherits its privileges from the Administrators group - it doesn't
     516             :  * have any of its own.
     517             :  */
     518             : BOOL
     519             : AddUserToTokenDacl(HANDLE hToken)
     520             : {
     521             :     int         i;
     522             :     ACL_SIZE_INFORMATION asi;
     523             :     ACCESS_ALLOWED_ACE *pace;
     524             :     DWORD       dwNewAclSize;
     525             :     DWORD       dwSize = 0;
     526             :     DWORD       dwTokenInfoLength = 0;
     527             :     PACL        pacl = NULL;
     528             :     PTOKEN_USER pTokenUser = NULL;
     529             :     TOKEN_DEFAULT_DACL tddNew;
     530             :     TOKEN_DEFAULT_DACL *ptdd = NULL;
     531             :     TOKEN_INFORMATION_CLASS tic = TokenDefaultDacl;
     532             :     BOOL        ret = FALSE;
     533             : 
     534             :     /* Figure out the buffer size for the DACL info */
     535             :     if (!GetTokenInformation(hToken, tic, (LPVOID) NULL, dwTokenInfoLength, &dwSize))
     536             :     {
     537             :         if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
     538             :         {
     539             :             ptdd = (TOKEN_DEFAULT_DACL *) LocalAlloc(LPTR, dwSize);
     540             :             if (ptdd == NULL)
     541             :             {
     542             :                 log_error(errcode(ERRCODE_OUT_OF_MEMORY),
     543             :                           _("out of memory"));
     544             :                 goto cleanup;
     545             :             }
     546             : 
     547             :             if (!GetTokenInformation(hToken, tic, (LPVOID) ptdd, dwSize, &dwSize))
     548             :             {
     549             :                 log_error(errcode(ERRCODE_SYSTEM_ERROR),
     550             :                           "could not get token information: error code %lu",
     551             :                           GetLastError());
     552             :                 goto cleanup;
     553             :             }
     554             :         }
     555             :         else
     556             :         {
     557             :             log_error(errcode(ERRCODE_SYSTEM_ERROR),
     558             :                       "could not get token information buffer size: error code %lu",
     559             :                       GetLastError());
     560             :             goto cleanup;
     561             :         }
     562             :     }
     563             : 
     564             :     /* Get the ACL info */
     565             :     if (!GetAclInformation(ptdd->DefaultDacl, (LPVOID) &asi,
     566             :                            (DWORD) sizeof(ACL_SIZE_INFORMATION),
     567             :                            AclSizeInformation))
     568             :     {
     569             :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     570             :                   "could not get ACL information: error code %lu",
     571             :                   GetLastError());
     572             :         goto cleanup;
     573             :     }
     574             : 
     575             :     /* Get the current user SID */
     576             :     if (!GetTokenUser(hToken, &pTokenUser))
     577             :         goto cleanup;           /* callee printed a message */
     578             : 
     579             :     /* Figure out the size of the new ACL */
     580             :     dwNewAclSize = asi.AclBytesInUse + sizeof(ACCESS_ALLOWED_ACE) +
     581             :         GetLengthSid(pTokenUser->User.Sid) - sizeof(DWORD);
     582             : 
     583             :     /* Allocate the ACL buffer & initialize it */
     584             :     pacl = (PACL) LocalAlloc(LPTR, dwNewAclSize);
     585             :     if (pacl == NULL)
     586             :     {
     587             :         log_error(errcode(ERRCODE_OUT_OF_MEMORY),
     588             :                   _("out of memory"));
     589             :         goto cleanup;
     590             :     }
     591             : 
     592             :     if (!InitializeAcl(pacl, dwNewAclSize, ACL_REVISION))
     593             :     {
     594             :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     595             :                   "could not initialize ACL: error code %lu", GetLastError());
     596             :         goto cleanup;
     597             :     }
     598             : 
     599             :     /* Loop through the existing ACEs, and build the new ACL */
     600             :     for (i = 0; i < (int) asi.AceCount; i++)
     601             :     {
     602             :         if (!GetAce(ptdd->DefaultDacl, i, (LPVOID *) &pace))
     603             :         {
     604             :             log_error(errcode(ERRCODE_SYSTEM_ERROR),
     605             :                       "could not get ACE: error code %lu", GetLastError());
     606             :             goto cleanup;
     607             :         }
     608             : 
     609             :         if (!AddAce(pacl, ACL_REVISION, MAXDWORD, pace, ((PACE_HEADER) pace)->AceSize))
     610             :         {
     611             :             log_error(errcode(ERRCODE_SYSTEM_ERROR),
     612             :                       "could not add ACE: error code %lu", GetLastError());
     613             :             goto cleanup;
     614             :         }
     615             :     }
     616             : 
     617             :     /* Add the new ACE for the current user */
     618             :     if (!AddAccessAllowedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE, GENERIC_ALL, pTokenUser->User.Sid))
     619             :     {
     620             :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     621             :                   "could not add access allowed ACE: error code %lu",
     622             :                   GetLastError());
     623             :         goto cleanup;
     624             :     }
     625             : 
     626             :     /* Set the new DACL in the token */
     627             :     tddNew.DefaultDacl = pacl;
     628             : 
     629             :     if (!SetTokenInformation(hToken, tic, (LPVOID) &tddNew, dwNewAclSize))
     630             :     {
     631             :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     632             :                   "could not set token information: error code %lu",
     633             :                   GetLastError());
     634             :         goto cleanup;
     635             :     }
     636             : 
     637             :     ret = TRUE;
     638             : 
     639             : cleanup:
     640             :     if (pTokenUser)
     641             :         LocalFree((HLOCAL) pTokenUser);
     642             : 
     643             :     if (pacl)
     644             :         LocalFree((HLOCAL) pacl);
     645             : 
     646             :     if (ptdd)
     647             :         LocalFree((HLOCAL) ptdd);
     648             : 
     649             :     return ret;
     650             : }
     651             : 
     652             : /*
     653             :  * GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser)
     654             :  *
     655             :  * Get the users token information from a process token.
     656             :  *
     657             :  * The caller of this function is responsible for calling LocalFree() on the
     658             :  * returned TOKEN_USER memory.
     659             :  */
     660             : static BOOL
     661             : GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser)
     662             : {
     663             :     DWORD       dwLength;
     664             : 
     665             :     *ppTokenUser = NULL;
     666             : 
     667             :     if (!GetTokenInformation(hToken,
     668             :                              TokenUser,
     669             :                              NULL,
     670             :                              0,
     671             :                              &dwLength))
     672             :     {
     673             :         if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
     674             :         {
     675             :             *ppTokenUser = (PTOKEN_USER) LocalAlloc(LPTR, dwLength);
     676             : 
     677             :             if (*ppTokenUser == NULL)
     678             :             {
     679             :                 log_error(errcode(ERRCODE_OUT_OF_MEMORY),
     680             :                           _("out of memory"));
     681             :                 return FALSE;
     682             :             }
     683             :         }
     684             :         else
     685             :         {
     686             :             log_error(errcode(ERRCODE_SYSTEM_ERROR),
     687             :                       "could not get token information buffer size: error code %lu",
     688             :                       GetLastError());
     689             :             return FALSE;
     690             :         }
     691             :     }
     692             : 
     693             :     if (!GetTokenInformation(hToken,
     694             :                              TokenUser,
     695             :                              *ppTokenUser,
     696             :                              dwLength,
     697             :                              &dwLength))
     698             :     {
     699             :         LocalFree(*ppTokenUser);
     700             :         *ppTokenUser = NULL;
     701             : 
     702             :         log_error(errcode(ERRCODE_SYSTEM_ERROR),
     703             :                   "could not get token information: error code %lu",
     704             :                   GetLastError());
     705             :         return FALSE;
     706             :     }
     707             : 
     708             :     /* Memory in *ppTokenUser is LocalFree():d by the caller */
     709             :     return TRUE;
     710             : }
     711             : 
     712             : #endif

Generated by: LCOV version 1.14