Add inheritable ACE when creating a restricted token for execution on

Win32. Also refactor the code around it to be more clear. Jesse Morris

Add inheritable ACE when creating a restricted token for execution on
Win32. Also refactor the code around it to be more clear. Jesse Morris
d509347c · Magnus Hagander · 3b0d57eb · d509347c · d509347c · d509347c
5 changed file
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -42,7 +42,7 @@
 * Portions Copyright (c) 1994, Regents of the University of California
 * Portions taken from FreeBSD.
 *
- * $PostgreSQL: pgsql/src/bin/initdb/initdb.c,v 1.152.2.5 2009/03/31 18:58:38 mha Exp $
+ * $PostgreSQL: pgsql/src/bin/initdb/initdb.c,v 1.152.2.6 2009/11/14 15:39:41 mha Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -2344,6 +2344,10 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION * processInfo)
 		return 0;
 	}
+#ifndef __CYGWIN__
+    AddUserToTokenDacl(restrictedToken);
+#endif
 	if (!CreateProcessAsUser(restrictedToken,
 						NULL,
 						cmd,
@@ -2361,10 +2365,6 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION * processInfo)
 		return 0;
 	}
-#ifndef __CYGWIN__
-	AddUserToDacl(processInfo->hProcess);
-#endif
 	return ResumeThread(processInfo->hThread);
 }
 #endif

--- a/src/bin/pg_ctl/pg_ctl.c
+++ b/src/bin/pg_ctl/pg_ctl.c
@@ -4,7 +4,7 @@
 *
 * Portions Copyright (c) 1996-2008, PostgreSQL Global Development Group
 *
- * $PostgreSQL: pgsql/src/bin/pg_ctl/pg_ctl.c,v 1.92.2.7 2009/09/02 02:41:07 tgl Exp $
+ * $PostgreSQL: pgsql/src/bin/pg_ctl/pg_ctl.c,v 1.92.2.8 2009/11/14 15:39:41 mha Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -1396,6 +1396,10 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION * processInfo, bool as_se
 		return 0;
 	}
+#ifndef __CYGWIN__
+    AddUserToTokenDacl(restrictedToken);
+#endif
 	r = CreateProcessAsUser(restrictedToken, NULL, cmd, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, &si, processInfo);
 	Kernel32Handle = LoadLibrary("KERNEL32.DLL");
@@ -1492,10 +1496,6 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION * processInfo, bool as_se
 		}
 	}
-#ifndef __CYGWIN__
-    AddUserToDacl(processInfo->hProcess);
-#endif
 	CloseHandle(restrictedToken);
 	ResumeThread(processInfo->hThread);

--- a/src/include/port.h
+++ b/src/include/port.h
@@ -6,7 +6,7 @@
 * Portions Copyright (c) 1996-2008, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $PostgreSQL: pgsql/src/include/port.h,v 1.116.2.5 2008/04/18 17:05:53 tgl Exp $
+ * $PostgreSQL: pgsql/src/include/port.h,v 1.116.2.6 2009/11/14 15:39:41 mha Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -80,7 +80,7 @@ extern int find_other_exec(const char *argv0, const char *target,
 /* Windows security token manipulation (in exec.c) */
 #ifdef WIN32
-extern BOOL AddUserToDacl(HANDLE hProcess);
+extern BOOL AddUserToTokenDacl(HANDLE hToken);
 #endif

--- a/src/port/exec.c
+++ b/src/port/exec.c
@@ -9,7 +9,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/port/exec.c,v 1.57.2.2 2008/03/31 01:32:01 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/port/exec.c,v 1.57.2.3 2009/11/14 15:39:41 mha Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -664,11 +664,10 @@ set_pglocale_pgservice(const char *argv0, const char *app)
 #ifdef WIN32
 /*
- * AddUserToDacl(HANDLE hProcess)
+ * AddUserToTokenDacl(HANDLE hToken)
 *
- * This function adds the current user account to the default DACL
+ * This function adds the current user account to the restricted
- * which gets attached to the restricted token used when we create
+ * token used when we create a restricted process.
- * a restricted process.
 *
 * This is required because of some security changes in Windows
 * that appeared in patches to XP/2K3 and in Vista/2008.
@@ -681,13 +680,13 @@ set_pglocale_pgservice(const char *argv0, const char *app)
 * and CreateProcess() calls when running as Administrator.
 *
 * This function fixes this problem by modifying the DACL of the
- * specified process and explicitly re-adding the current user account.
+ * token the process will use, and explicitly re-adding the current
- * This is still secure because the Administrator account inherits it's
+ * user account.  This is still secure because the Administrator account
- * privileges from the Administrators group - it doesn't have any of
+ * inherits its privileges from the Administrators group - it doesn't
- * it's own.
+ * have any of its own.
 */
 BOOL
-AddUserToDacl(HANDLE hProcess)
+AddUserToTokenDacl(HANDLE hToken)
 {
 	int			i;
 	ACL_SIZE_INFORMATION asi;
@@ -696,7 +695,6 @@ AddUserToDacl(HANDLE hProcess)
 	DWORD		dwSize = 0;
 	DWORD		dwTokenInfoLength = 0;
 	DWORD		dwResult = 0;
-	HANDLE		hToken = NULL;
 	PACL		pacl = NULL;
 	PSID		psidUser = NULL;
 	TOKEN_DEFAULT_DACL tddNew;
@@ -704,13 +702,6 @@ AddUserToDacl(HANDLE hProcess)
 	TOKEN_INFORMATION_CLASS tic = TokenDefaultDacl;
 	BOOL		ret = FALSE;
-	/* Get the token for the process */
-	if (!OpenProcessToken(hProcess, TOKEN_QUERY | TOKEN_ADJUST_DEFAULT, &hToken))
-	{
-		log_error("could not open process token: %ui", GetLastError());
-		goto cleanup;
-	}
 	/* Figure out the buffer size for the DACL info */
 	if (!GetTokenInformation(hToken, tic, (LPVOID) NULL, dwTokenInfoLength, &dwSize))
 	{
@@ -786,7 +777,7 @@ AddUserToDacl(HANDLE hProcess)
 	}
 	/* Add the new ACE for the current user */
-	if (!AddAccessAllowedAce(pacl, ACL_REVISION, GENERIC_ALL, psidUser))
+	if (!AddAccessAllowedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE, GENERIC_ALL, psidUser))
 	{
 		log_error("could not add access allowed ACE: %ui", GetLastError());
 		goto cleanup;
@@ -813,9 +804,6 @@ cleanup:
 	if (ptdd)
 		LocalFree((HLOCAL) ptdd);
-	if (hToken)
-		CloseHandle(hToken);
 	return ret;
 }

--- a/src/test/regress/pg_regress.c
+++ b/src/test/regress/pg_regress.c
@@ -11,7 +11,7 @@
 * Portions Copyright (c) 1996-2008, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $PostgreSQL: pgsql/src/test/regress/pg_regress.c,v 1.41.2.3 2008/08/03 05:12:45 tgl Exp $
+ * $PostgreSQL: pgsql/src/test/regress/pg_regress.c,v 1.41.2.4 2009/11/14 15:39:41 mha Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -1009,6 +1009,10 @@ spawn_process(const char *cmdline)
 	cmdline2 = malloc(strlen(cmdline) + 8);
 	sprintf(cmdline2, "cmd /c %s", cmdline);
+#ifndef __CYGWIN__
+	AddUserToTokenDacl(restrictedToken);
+#endif
 	if (!CreateProcessAsUser(restrictedToken,
 						NULL,
 						cmdline2,
@@ -1026,10 +1030,6 @@ spawn_process(const char *cmdline)
 		exit_nicely(2);
 	}
-#ifndef __CYGWIN__
-	AddUserToDacl(pi.hProcess);
-#endif
 	free(cmdline2);
    ResumeThread(pi.hThread);