diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/bin/initdb/initdb.c | 10 | ||||
| -rw-r--r-- | src/bin/pg_ctl/pg_ctl.c | 9 | ||||
| -rw-r--r-- | src/include/port.h | 4 | ||||
| -rw-r--r-- | src/port/exec.c | 32 | ||||
| -rw-r--r-- | src/test/regress/pg_regress.c | 10 |
5 files changed, 27 insertions, 38 deletions
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c index 3fc9b3880ef..fa14161551f 100644 --- a/src/bin/initdb/initdb.c +++ b/src/bin/initdb/initdb.c @@ -42,7 +42,7 @@ * Portions Copyright (c) 1994, Regents of the University of California * Portions taken from FreeBSD. * - * $PostgreSQL: pgsql/src/bin/initdb/initdb.c,v 1.172 2009/06/11 14:49:07 momjian Exp $ + * $PostgreSQL: pgsql/src/bin/initdb/initdb.c,v 1.172.2.1 2009/11/14 15:39:45 mha Exp $ * *------------------------------------------------------------------------- */ @@ -2393,6 +2393,10 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION *processInfo) return 0; } +#ifndef __CYGWIN__ + AddUserToTokenDacl(restrictedToken); +#endif + if (!CreateProcessAsUser(restrictedToken, NULL, cmd, @@ -2410,10 +2414,6 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION *processInfo) return 0; } -#ifndef __CYGWIN__ - AddUserToDacl(processInfo->hProcess); -#endif - return ResumeThread(processInfo->hThread); } #endif diff --git a/src/bin/pg_ctl/pg_ctl.c b/src/bin/pg_ctl/pg_ctl.c index 7a7d03e8f69..e80031fba97 100644 --- a/src/bin/pg_ctl/pg_ctl.c +++ b/src/bin/pg_ctl/pg_ctl.c @@ -4,7 +4,7 @@ * * Portions Copyright (c) 1996-2009, PostgreSQL Global Development Group * - * $PostgreSQL: pgsql/src/bin/pg_ctl/pg_ctl.c,v 1.111.2.1 2009/09/02 02:40:59 tgl Exp $ + * $PostgreSQL: pgsql/src/bin/pg_ctl/pg_ctl.c,v 1.111.2.2 2009/11/14 15:39:45 mha Exp $ * *------------------------------------------------------------------------- */ @@ -1390,6 +1390,10 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION *processInfo, bool as_ser return 0; } +#ifndef __CYGWIN__ + AddUserToTokenDacl(restrictedToken); +#endif + r = CreateProcessAsUser(restrictedToken, NULL, cmd, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, &si, processInfo); Kernel32Handle = LoadLibrary("KERNEL32.DLL"); @@ -1488,9 +1492,6 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION *processInfo, bool as_ser } } -#ifndef __CYGWIN__ - AddUserToDacl(processInfo->hProcess); -#endif CloseHandle(restrictedToken); diff --git a/src/include/port.h b/src/include/port.h index 7eaf8441893..f139367064f 100644 --- a/src/include/port.h +++ b/src/include/port.h @@ -6,7 +6,7 @@ * Portions Copyright (c) 1996-2009, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/include/port.h,v 1.125 2009/06/11 14:49:08 momjian Exp $ + * $PostgreSQL: pgsql/src/include/port.h,v 1.125.2.1 2009/11/14 15:39:45 mha Exp $ * *------------------------------------------------------------------------- */ @@ -81,7 +81,7 @@ extern int find_other_exec(const char *argv0, const char *target, /* Windows security token manipulation (in exec.c) */ #ifdef WIN32 -extern BOOL AddUserToDacl(HANDLE hProcess); +extern BOOL AddUserToTokenDacl(HANDLE hToken); #endif diff --git a/src/port/exec.c b/src/port/exec.c index dde509eeeb6..218636575a0 100644 --- a/src/port/exec.c +++ b/src/port/exec.c @@ -9,7 +9,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/port/exec.c,v 1.63 2009/06/11 14:49:15 momjian Exp $ + * $PostgreSQL: pgsql/src/port/exec.c,v 1.63.2.1 2009/11/14 15:39:45 mha Exp $ * *------------------------------------------------------------------------- */ @@ -664,11 +664,10 @@ set_pglocale_pgservice(const char *argv0, const char *app) #ifdef WIN32 /* - * AddUserToDacl(HANDLE hProcess) + * AddUserToTokenDacl(HANDLE hToken) * - * This function adds the current user account to the default DACL - * which gets attached to the restricted token used when we create - * a restricted process. + * This function adds the current user account to the restricted + * token used when we create a restricted process. * * This is required because of some security changes in Windows * that appeared in patches to XP/2K3 and in Vista/2008. @@ -681,13 +680,13 @@ set_pglocale_pgservice(const char *argv0, const char *app) * and CreateProcess() calls when running as Administrator. * * This function fixes this problem by modifying the DACL of the - * specified process and explicitly re-adding the current user account. - * This is still secure because the Administrator account inherits it's - * privileges from the Administrators group - it doesn't have any of - * it's own. + * token the process will use, and explicitly re-adding the current + * user account. This is still secure because the Administrator account + * inherits its privileges from the Administrators group - it doesn't + * have any of its own. */ BOOL -AddUserToDacl(HANDLE hProcess) +AddUserToTokenDacl(HANDLE hToken) { int i; ACL_SIZE_INFORMATION asi; @@ -695,7 +694,6 @@ AddUserToDacl(HANDLE hProcess) DWORD dwNewAclSize; DWORD dwSize = 0; DWORD dwTokenInfoLength = 0; - HANDLE hToken = NULL; PACL pacl = NULL; PSID psidUser = NULL; TOKEN_DEFAULT_DACL tddNew; @@ -703,13 +701,6 @@ AddUserToDacl(HANDLE hProcess) TOKEN_INFORMATION_CLASS tic = TokenDefaultDacl; BOOL ret = FALSE; - /* Get the token for the process */ - if (!OpenProcessToken(hProcess, TOKEN_QUERY | TOKEN_ADJUST_DEFAULT, &hToken)) - { - log_error("could not open process token: %lu", GetLastError()); - goto cleanup; - } - /* Figure out the buffer size for the DACL info */ if (!GetTokenInformation(hToken, tic, (LPVOID) NULL, dwTokenInfoLength, &dwSize)) { @@ -785,7 +776,7 @@ AddUserToDacl(HANDLE hProcess) } /* Add the new ACE for the current user */ - if (!AddAccessAllowedAce(pacl, ACL_REVISION, GENERIC_ALL, psidUser)) + if (!AddAccessAllowedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE, GENERIC_ALL, psidUser)) { log_error("could not add access allowed ACE: %lu", GetLastError()); goto cleanup; @@ -812,9 +803,6 @@ cleanup: if (ptdd) LocalFree((HLOCAL) ptdd); - if (hToken) - CloseHandle(hToken); - return ret; } diff --git a/src/test/regress/pg_regress.c b/src/test/regress/pg_regress.c index a2bc0af1a3e..238d72b3998 100644 --- a/src/test/regress/pg_regress.c +++ b/src/test/regress/pg_regress.c @@ -11,7 +11,7 @@ * Portions Copyright (c) 1996-2009, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/test/regress/pg_regress.c,v 1.63 2009/06/11 14:49:15 momjian Exp $ + * $PostgreSQL: pgsql/src/test/regress/pg_regress.c,v 1.63.2.1 2009/11/14 15:39:45 mha Exp $ * *------------------------------------------------------------------------- */ @@ -1021,6 +1021,10 @@ spawn_process(const char *cmdline) cmdline2 = malloc(strlen(cmdline) + 8); sprintf(cmdline2, "cmd /c %s", cmdline); +#ifndef __CYGWIN__ + AddUserToTokenDacl(restrictedToken); +#endif + if (!CreateProcessAsUser(restrictedToken, NULL, cmdline2, @@ -1038,10 +1042,6 @@ spawn_process(const char *cmdline) exit_nicely(2); } -#ifndef __CYGWIN__ - AddUserToDacl(pi.hProcess); -#endif - free(cmdline2); ResumeThread(pi.hThread); |