Add inheritable ACE when creating a restricted token for execution on

Win32.

Also refactor the code around it to be more clear.

Jesse Morris

diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index 949725c2b254cb0973d6e5c50a3f0d644f54b9f1..57a1ef5ff386e74914ac3d5228e805df9990cd4e 100644 (file)
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -2354,6 +2354,10 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION *processInfo)
        return 0;
    }
 
+#ifndef __CYGWIN__
+    AddUserToTokenDacl(restrictedToken);
+#endif
+
    if (!CreateProcessAsUser(restrictedToken,
                             NULL,
                             cmd,
@@ -2371,10 +2375,6 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION *processInfo)
        return 0;
    }
 
-#ifndef __CYGWIN__
-   AddUserToDacl(processInfo->hProcess);
-#endif
-
    return ResumeThread(processInfo->hThread);
 }
 #endif

diff --git a/src/bin/pg_ctl/pg_ctl.c b/src/bin/pg_ctl/pg_ctl.c
index b420053637d48037cbf9843db54829971a2a62d6..8136713c4157cbb09255488bff9b7a8116a0c094 100644 (file)
--- a/src/bin/pg_ctl/pg_ctl.c
+++ b/src/bin/pg_ctl/pg_ctl.c
@@ -1405,6 +1405,10 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION *processInfo, bool as_ser
        return 0;
    }
 
+#ifndef __CYGWIN__
+   AddUserToTokenDacl(restrictedToken);
+#endif
+
    r = CreateProcessAsUser(restrictedToken, NULL, cmd, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, &si, processInfo);
 
    Kernel32Handle = LoadLibrary("KERNEL32.DLL");
@@ -1503,9 +1507,6 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION *processInfo, bool as_ser
        }
    }
 
-#ifndef __CYGWIN__
-   AddUserToDacl(processInfo->hProcess);
-#endif
 
    CloseHandle(restrictedToken);
 

diff --git a/src/include/port.h b/src/include/port.h
index 1b9e0e0123a226b9ec4cf95ebe455bd588aea81c..6945aee5859bdf800ef10cd6976d9d01e095b6a8 100644 (file)
--- a/src/include/port.h
+++ b/src/include/port.h
@@ -81,7 +81,7 @@ extern int find_other_exec(const char *argv0, const char *target,
 
 /* Windows security token manipulation (in exec.c) */
 #ifdef WIN32
-extern BOOL AddUserToDacl(HANDLE hProcess);
+extern BOOL AddUserToTokenDacl(HANDLE hToken);
 #endif
 
 

diff --git a/src/port/exec.c b/src/port/exec.c
index f79b4dc2be14b69ee1578fdec02535c339c963a4..cfd0ea55b881479e7a86ce6fe637546bc91807fb 100644 (file)
--- a/src/port/exec.c
+++ b/src/port/exec.c
@@ -664,11 +664,10 @@ set_pglocale_pgservice(const char *argv0, const char *app)
 #ifdef WIN32
 
 /*
- * AddUserToDacl(HANDLE hProcess)
+ * AddUserToTokenDacl(HANDLE hToken)
  *
- * This function adds the current user account to the default DACL
- * which gets attached to the restricted token used when we create
- * a restricted process.
+ * This function adds the current user account to the restricted
+ * token used when we create a restricted process.
  *
  * This is required because of some security changes in Windows
  * that appeared in patches to XP/2K3 and in Vista/2008.
@@ -681,13 +680,13 @@ set_pglocale_pgservice(const char *argv0, const char *app)
  * and CreateProcess() calls when running as Administrator.
  *
  * This function fixes this problem by modifying the DACL of the
- * specified process and explicitly re-adding the current user account.
- * This is still secure because the Administrator account inherits it's
- * privileges from the Administrators group - it doesn't have any of
- * it's own.
+ * token the process will use, and explicitly re-adding the current
+ * user account.  This is still secure because the Administrator account
+ * inherits its privileges from the Administrators group - it doesn't
+ * have any of its own.
  */
 BOOL
-AddUserToDacl(HANDLE hProcess)
+AddUserToTokenDacl(HANDLE hToken)
 {
    int         i;
    ACL_SIZE_INFORMATION asi;
@@ -695,7 +694,6 @@ AddUserToDacl(HANDLE hProcess)
    DWORD       dwNewAclSize;
    DWORD       dwSize = 0;
    DWORD       dwTokenInfoLength = 0;
-   HANDLE      hToken = NULL;
    PACL        pacl = NULL;
    PTOKEN_USER pTokenUser = NULL;
    TOKEN_DEFAULT_DACL tddNew;
@@ -703,13 +701,6 @@ AddUserToDacl(HANDLE hProcess)
    TOKEN_INFORMATION_CLASS tic = TokenDefaultDacl;
    BOOL        ret = FALSE;
 
-   /* Get the token for the process */
-   if (!OpenProcessToken(hProcess, TOKEN_QUERY | TOKEN_ADJUST_DEFAULT, &hToken))
-   {
-       log_error("could not open process token: %lu", GetLastError());
-       goto cleanup;
-   }
-
    /* Figure out the buffer size for the DACL info */
    if (!GetTokenInformation(hToken, tic, (LPVOID) NULL, dwTokenInfoLength, &dwSize))
    {
@@ -789,7 +780,7 @@ AddUserToDacl(HANDLE hProcess)
    }
 
    /* Add the new ACE for the current user */
-   if (!AddAccessAllowedAce(pacl, ACL_REVISION, GENERIC_ALL, pTokenUser->User.Sid))
+   if (!AddAccessAllowedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE, GENERIC_ALL, pTokenUser->User.Sid))
    {
        log_error("could not add access allowed ACE: %lu", GetLastError());
        goto cleanup;
@@ -816,9 +807,6 @@ cleanup:
    if (ptdd)
        LocalFree((HLOCAL) ptdd);
 
-   if (hToken)
-       CloseHandle(hToken);
-
    return ret;
 }
 

diff --git a/src/test/regress/pg_regress.c b/src/test/regress/pg_regress.c
index f2f9603b21d6cd0d1d11f3ef6b16bf38f826a3c6..32d72648992462bb25b7ead572d552cd239ce5e5 100644 (file)
--- a/src/test/regress/pg_regress.c
+++ b/src/test/regress/pg_regress.c
@@ -1021,6 +1021,10 @@ spawn_process(const char *cmdline)
    cmdline2 = malloc(strlen(cmdline) + 8);
    sprintf(cmdline2, "cmd /c %s", cmdline);
 
+#ifndef __CYGWIN__
+   AddUserToTokenDacl(restrictedToken);
+#endif
+
    if (!CreateProcessAsUser(restrictedToken,
                             NULL,
                             cmdline2,
@@ -1038,10 +1042,6 @@ spawn_process(const char *cmdline)
        exit_nicely(2);
    }
 
-#ifndef __CYGWIN__
-   AddUserToDacl(pi.hProcess);
-#endif
-
    free(cmdline2);
 
    ResumeThread(pi.hThread);