diff options
Diffstat (limited to 'src/common/exec.c')
-rw-r--r-- | src/common/exec.c | 696 |
1 files changed, 696 insertions, 0 deletions
diff --git a/src/common/exec.c b/src/common/exec.c new file mode 100644 index 0000000..7dd2f8c --- /dev/null +++ b/src/common/exec.c @@ -0,0 +1,696 @@ +/*------------------------------------------------------------------------- + * + * exec.c + * Functions for finding and validating executable files + * + * + * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group + * Portions Copyright (c) 1994, Regents of the University of California + * + * + * IDENTIFICATION + * src/common/exec.c + * + *------------------------------------------------------------------------- + */ + +#ifndef FRONTEND +#include "postgres.h" +#else +#include "postgres_fe.h" +#endif + +#include <signal.h> +#include <sys/stat.h> +#include <sys/wait.h> +#include <unistd.h> + +/* Inhibit mingw CRT's auto-globbing of command line arguments */ +#if defined(WIN32) && !defined(_MSC_VER) +extern int _CRT_glob = 0; /* 0 turns off globbing; 1 turns it on */ +#endif + +/* + * Hacky solution to allow expressing both frontend and backend error reports + * in one macro call. First argument of log_error is an errcode() call of + * some sort (ignored if FRONTEND); the rest are errmsg_internal() arguments, + * i.e. message string and any parameters for it. + * + * Caller must provide the gettext wrapper around the message string, if + * appropriate, so that it gets translated in the FRONTEND case; this + * motivates using errmsg_internal() not errmsg(). We handle appending a + * newline, if needed, inside the macro, so that there's only one translatable + * string per call not two. + */ +#ifndef FRONTEND +#define log_error(errcodefn, ...) \ + ereport(LOG, (errcodefn, errmsg_internal(__VA_ARGS__))) +#else +#define log_error(errcodefn, ...) \ + (fprintf(stderr, __VA_ARGS__), fputc('\n', stderr)) +#endif + +#ifdef _MSC_VER +#define getcwd(cwd,len) GetCurrentDirectory(len, cwd) +#endif + +static int resolve_symlinks(char *path); + +#ifdef WIN32 +static BOOL GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser); +#endif + +/* + * validate_exec -- validate "path" as an executable file + * + * returns 0 if the file is found and no error is encountered. + * -1 if the regular file "path" does not exist or cannot be executed. + * -2 if the file is otherwise valid but cannot be read. + */ +int +validate_exec(const char *path) +{ + struct stat buf; + int is_r; + int is_x; + +#ifdef WIN32 + char path_exe[MAXPGPATH + sizeof(".exe") - 1]; + + /* Win32 requires a .exe suffix for stat() */ + if (strlen(path) >= strlen(".exe") && + pg_strcasecmp(path + strlen(path) - strlen(".exe"), ".exe") != 0) + { + strlcpy(path_exe, path, sizeof(path_exe) - 4); + strcat(path_exe, ".exe"); + path = path_exe; + } +#endif + + /* + * Ensure that the file exists and is a regular file. + * + * XXX if you have a broken system where stat() looks at the symlink + * instead of the underlying file, you lose. + */ + if (stat(path, &buf) < 0) + return -1; + + if (!S_ISREG(buf.st_mode)) + return -1; + + /* + * Ensure that the file is both executable and readable (required for + * dynamic loading). + */ +#ifndef WIN32 + is_r = (access(path, R_OK) == 0); + is_x = (access(path, X_OK) == 0); +#else + is_r = buf.st_mode & S_IRUSR; + is_x = buf.st_mode & S_IXUSR; +#endif + return is_x ? (is_r ? 0 : -2) : -1; +} + + +/* + * find_my_exec -- find an absolute path to a valid executable + * + * argv0 is the name passed on the command line + * retpath is the output area (must be of size MAXPGPATH) + * Returns 0 if OK, -1 if error. + * + * The reason we have to work so hard to find an absolute path is that + * on some platforms we can't do dynamic loading unless we know the + * executable's location. Also, we need a full path not a relative + * path because we will later change working directory. Finally, we want + * a true path not a symlink location, so that we can locate other files + * that are part of our installation relative to the executable. + */ +int +find_my_exec(const char *argv0, char *retpath) +{ + char cwd[MAXPGPATH], + test_path[MAXPGPATH]; + char *path; + + if (!getcwd(cwd, MAXPGPATH)) + { + log_error(errcode_for_file_access(), + _("could not identify current directory: %m")); + return -1; + } + + /* + * If argv0 contains a separator, then PATH wasn't used. + */ + if (first_dir_separator(argv0) != NULL) + { + if (is_absolute_path(argv0)) + strlcpy(retpath, argv0, MAXPGPATH); + else + join_path_components(retpath, cwd, argv0); + canonicalize_path(retpath); + + if (validate_exec(retpath) == 0) + return resolve_symlinks(retpath); + + log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE), + _("invalid binary \"%s\""), retpath); + return -1; + } + +#ifdef WIN32 + /* Win32 checks the current directory first for names without slashes */ + join_path_components(retpath, cwd, argv0); + if (validate_exec(retpath) == 0) + return resolve_symlinks(retpath); +#endif + + /* + * Since no explicit path was supplied, the user must have been relying on + * PATH. We'll search the same PATH. + */ + if ((path = getenv("PATH")) && *path) + { + char *startp = NULL, + *endp = NULL; + + do + { + if (!startp) + startp = path; + else + startp = endp + 1; + + endp = first_path_var_separator(startp); + if (!endp) + endp = startp + strlen(startp); /* point to end */ + + strlcpy(test_path, startp, Min(endp - startp + 1, MAXPGPATH)); + + if (is_absolute_path(test_path)) + join_path_components(retpath, test_path, argv0); + else + { + join_path_components(retpath, cwd, test_path); + join_path_components(retpath, retpath, argv0); + } + canonicalize_path(retpath); + + switch (validate_exec(retpath)) + { + case 0: /* found ok */ + return resolve_symlinks(retpath); + case -1: /* wasn't even a candidate, keep looking */ + break; + case -2: /* found but disqualified */ + log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE), + _("could not read binary \"%s\""), + retpath); + break; + } + } while (*endp); + } + + log_error(errcode(ERRCODE_UNDEFINED_FILE), + _("could not find a \"%s\" to execute"), argv0); + return -1; +} + + +/* + * resolve_symlinks - resolve symlinks to the underlying file + * + * Replace "path" by the absolute path to the referenced file. + * + * Returns 0 if OK, -1 if error. + * + * Note: we are not particularly tense about producing nice error messages + * because we are not really expecting error here; we just determined that + * the symlink does point to a valid executable. + */ +static int +resolve_symlinks(char *path) +{ +#ifdef HAVE_READLINK + struct stat buf; + char orig_wd[MAXPGPATH], + link_buf[MAXPGPATH]; + char *fname; + + /* + * To resolve a symlink properly, we have to chdir into its directory and + * then chdir to where the symlink points; otherwise we may fail to + * resolve relative links correctly (consider cases involving mount + * points, for example). After following the final symlink, we use + * getcwd() to figure out where the heck we're at. + * + * One might think we could skip all this if path doesn't point to a + * symlink to start with, but that's wrong. We also want to get rid of + * any directory symlinks that are present in the given path. We expect + * getcwd() to give us an accurate, symlink-free path. + */ + if (!getcwd(orig_wd, MAXPGPATH)) + { + log_error(errcode_for_file_access(), + _("could not identify current directory: %m")); + return -1; + } + + for (;;) + { + char *lsep; + int rllen; + + lsep = last_dir_separator(path); + if (lsep) + { + *lsep = '\0'; + if (chdir(path) == -1) + { + log_error(errcode_for_file_access(), + _("could not change directory to \"%s\": %m"), path); + return -1; + } + fname = lsep + 1; + } + else + fname = path; + + if (lstat(fname, &buf) < 0 || + !S_ISLNK(buf.st_mode)) + break; + + errno = 0; + rllen = readlink(fname, link_buf, sizeof(link_buf)); + if (rllen < 0 || rllen >= sizeof(link_buf)) + { + log_error(errcode_for_file_access(), + _("could not read symbolic link \"%s\": %m"), fname); + return -1; + } + link_buf[rllen] = '\0'; + strcpy(path, link_buf); + } + + /* must copy final component out of 'path' temporarily */ + strlcpy(link_buf, fname, sizeof(link_buf)); + + if (!getcwd(path, MAXPGPATH)) + { + log_error(errcode_for_file_access(), + _("could not identify current directory: %m")); + return -1; + } + join_path_components(path, path, link_buf); + canonicalize_path(path); + + if (chdir(orig_wd) == -1) + { + log_error(errcode_for_file_access(), + _("could not change directory to \"%s\": %m"), orig_wd); + return -1; + } +#endif /* HAVE_READLINK */ + + return 0; +} + + +/* + * Find another program in our binary's directory, + * then make sure it is the proper version. + */ +int +find_other_exec(const char *argv0, const char *target, + const char *versionstr, char *retpath) +{ + char cmd[MAXPGPATH]; + char line[MAXPGPATH]; + + if (find_my_exec(argv0, retpath) < 0) + return -1; + + /* Trim off program name and keep just directory */ + *last_dir_separator(retpath) = '\0'; + canonicalize_path(retpath); + + /* Now append the other program's name */ + snprintf(retpath + strlen(retpath), MAXPGPATH - strlen(retpath), + "/%s%s", target, EXE); + + if (validate_exec(retpath) != 0) + return -1; + + snprintf(cmd, sizeof(cmd), "\"%s\" -V", retpath); + + if (!pipe_read_line(cmd, line, sizeof(line))) + return -1; + + if (strcmp(line, versionstr) != 0) + return -2; + + return 0; +} + + +/* + * Execute a command in a pipe and read the first line from it. + */ +char * +pipe_read_line(char *cmd, char *line, int maxsize) +{ + FILE *pgver; + + /* flush output buffers in case popen does not... */ + fflush(stdout); + fflush(stderr); + + errno = 0; + if ((pgver = popen(cmd, "r")) == NULL) + { + perror("popen failure"); + return NULL; + } + + errno = 0; + if (fgets(line, maxsize, pgver) == NULL) + { + if (feof(pgver)) + fprintf(stderr, "no data was returned by command \"%s\"\n", cmd); + else + perror("fgets failure"); + pclose(pgver); /* no error checking */ + return NULL; + } + + if (pclose_check(pgver)) + return NULL; + + return line; +} + + +/* + * pclose() plus useful error reporting + */ +int +pclose_check(FILE *stream) +{ + int exitstatus; + char *reason; + + exitstatus = pclose(stream); + + if (exitstatus == 0) + return 0; /* all is well */ + + if (exitstatus == -1) + { + /* pclose() itself failed, and hopefully set errno */ + log_error(errcode(ERRCODE_SYSTEM_ERROR), + _("%s() failed: %m"), "pclose"); + } + else + { + reason = wait_result_to_str(exitstatus); + log_error(errcode(ERRCODE_SYSTEM_ERROR), + "%s", reason); + pfree(reason); + } + return exitstatus; +} + +/* + * set_pglocale_pgservice + * + * Set application-specific locale and service directory + * + * This function takes the value of argv[0] rather than a full path. + * + * (You may be wondering why this is in exec.c. It requires this module's + * services and doesn't introduce any new dependencies, so this seems as + * good as anyplace.) + */ +void +set_pglocale_pgservice(const char *argv0, const char *app) +{ + char path[MAXPGPATH]; + char my_exec_path[MAXPGPATH]; + + /* don't set LC_ALL in the backend */ + if (strcmp(app, PG_TEXTDOMAIN("postgres")) != 0) + { + setlocale(LC_ALL, ""); + + /* + * One could make a case for reproducing here PostmasterMain()'s test + * for whether the process is multithreaded. Unlike the postmaster, + * no frontend program calls sigprocmask() or otherwise provides for + * mutual exclusion between signal handlers. While frontends using + * fork(), if multithreaded, are formally exposed to undefined + * behavior, we have not witnessed a concrete bug. Therefore, + * complaining about multithreading here may be mere pedantry. + */ + } + + if (find_my_exec(argv0, my_exec_path) < 0) + return; + +#ifdef ENABLE_NLS + get_locale_path(my_exec_path, path); + bindtextdomain(app, path); + textdomain(app); + /* set for libpq to use, but don't override existing setting */ + setenv("PGLOCALEDIR", path, 0); +#endif + + if (getenv("PGSYSCONFDIR") == NULL) + { + get_etc_path(my_exec_path, path); + /* set for libpq to use */ + setenv("PGSYSCONFDIR", path, 0); + } +} + +#ifdef WIN32 + +/* + * AddUserToTokenDacl(HANDLE hToken) + * + * This function adds the current user account to the restricted + * token used when we create a restricted process. + * + * This is required because of some security changes in Windows + * that appeared in patches to XP/2K3 and in Vista/2008. + * + * On these machines, the Administrator account is not included in + * the default DACL - you just get Administrators + System. For + * regular users you get User + System. Because we strip Administrators + * when we create the restricted token, we are left with only System + * in the DACL which leads to access denied errors for later CreatePipe() + * and CreateProcess() calls when running as Administrator. + * + * This function fixes this problem by modifying the DACL of the + * token the process will use, and explicitly re-adding the current + * user account. This is still secure because the Administrator account + * inherits its privileges from the Administrators group - it doesn't + * have any of its own. + */ +BOOL +AddUserToTokenDacl(HANDLE hToken) +{ + int i; + ACL_SIZE_INFORMATION asi; + ACCESS_ALLOWED_ACE *pace; + DWORD dwNewAclSize; + DWORD dwSize = 0; + DWORD dwTokenInfoLength = 0; + PACL pacl = NULL; + PTOKEN_USER pTokenUser = NULL; + TOKEN_DEFAULT_DACL tddNew; + TOKEN_DEFAULT_DACL *ptdd = NULL; + TOKEN_INFORMATION_CLASS tic = TokenDefaultDacl; + BOOL ret = FALSE; + + /* Figure out the buffer size for the DACL info */ + if (!GetTokenInformation(hToken, tic, (LPVOID) NULL, dwTokenInfoLength, &dwSize)) + { + if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) + { + ptdd = (TOKEN_DEFAULT_DACL *) LocalAlloc(LPTR, dwSize); + if (ptdd == NULL) + { + log_error(errcode(ERRCODE_OUT_OF_MEMORY), + _("out of memory")); + goto cleanup; + } + + if (!GetTokenInformation(hToken, tic, (LPVOID) ptdd, dwSize, &dwSize)) + { + log_error(errcode(ERRCODE_SYSTEM_ERROR), + "could not get token information: error code %lu", + GetLastError()); + goto cleanup; + } + } + else + { + log_error(errcode(ERRCODE_SYSTEM_ERROR), + "could not get token information buffer size: error code %lu", + GetLastError()); + goto cleanup; + } + } + + /* Get the ACL info */ + if (!GetAclInformation(ptdd->DefaultDacl, (LPVOID) &asi, + (DWORD) sizeof(ACL_SIZE_INFORMATION), + AclSizeInformation)) + { + log_error(errcode(ERRCODE_SYSTEM_ERROR), + "could not get ACL information: error code %lu", + GetLastError()); + goto cleanup; + } + + /* Get the current user SID */ + if (!GetTokenUser(hToken, &pTokenUser)) + goto cleanup; /* callee printed a message */ + + /* Figure out the size of the new ACL */ + dwNewAclSize = asi.AclBytesInUse + sizeof(ACCESS_ALLOWED_ACE) + + GetLengthSid(pTokenUser->User.Sid) - sizeof(DWORD); + + /* Allocate the ACL buffer & initialize it */ + pacl = (PACL) LocalAlloc(LPTR, dwNewAclSize); + if (pacl == NULL) + { + log_error(errcode(ERRCODE_OUT_OF_MEMORY), + _("out of memory")); + goto cleanup; + } + + if (!InitializeAcl(pacl, dwNewAclSize, ACL_REVISION)) + { + log_error(errcode(ERRCODE_SYSTEM_ERROR), + "could not initialize ACL: error code %lu", GetLastError()); + goto cleanup; + } + + /* Loop through the existing ACEs, and build the new ACL */ + for (i = 0; i < (int) asi.AceCount; i++) + { + if (!GetAce(ptdd->DefaultDacl, i, (LPVOID *) &pace)) + { + log_error(errcode(ERRCODE_SYSTEM_ERROR), + "could not get ACE: error code %lu", GetLastError()); + goto cleanup; + } + + if (!AddAce(pacl, ACL_REVISION, MAXDWORD, pace, ((PACE_HEADER) pace)->AceSize)) + { + log_error(errcode(ERRCODE_SYSTEM_ERROR), + "could not add ACE: error code %lu", GetLastError()); + goto cleanup; + } + } + + /* Add the new ACE for the current user */ + if (!AddAccessAllowedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE, GENERIC_ALL, pTokenUser->User.Sid)) + { + log_error(errcode(ERRCODE_SYSTEM_ERROR), + "could not add access allowed ACE: error code %lu", + GetLastError()); + goto cleanup; + } + + /* Set the new DACL in the token */ + tddNew.DefaultDacl = pacl; + + if (!SetTokenInformation(hToken, tic, (LPVOID) &tddNew, dwNewAclSize)) + { + log_error(errcode(ERRCODE_SYSTEM_ERROR), + "could not set token information: error code %lu", + GetLastError()); + goto cleanup; + } + + ret = TRUE; + +cleanup: + if (pTokenUser) + LocalFree((HLOCAL) pTokenUser); + + if (pacl) + LocalFree((HLOCAL) pacl); + + if (ptdd) + LocalFree((HLOCAL) ptdd); + + return ret; +} + +/* + * GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser) + * + * Get the users token information from a process token. + * + * The caller of this function is responsible for calling LocalFree() on the + * returned TOKEN_USER memory. + */ +static BOOL +GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser) +{ + DWORD dwLength; + + *ppTokenUser = NULL; + + if (!GetTokenInformation(hToken, + TokenUser, + NULL, + 0, + &dwLength)) + { + if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) + { + *ppTokenUser = (PTOKEN_USER) LocalAlloc(LPTR, dwLength); + + if (*ppTokenUser == NULL) + { + log_error(errcode(ERRCODE_OUT_OF_MEMORY), + _("out of memory")); + return FALSE; + } + } + else + { + log_error(errcode(ERRCODE_SYSTEM_ERROR), + "could not get token information buffer size: error code %lu", + GetLastError()); + return FALSE; + } + } + + if (!GetTokenInformation(hToken, + TokenUser, + *ppTokenUser, + dwLength, + &dwLength)) + { + LocalFree(*ppTokenUser); + *ppTokenUser = NULL; + + log_error(errcode(ERRCODE_SYSTEM_ERROR), + "could not get token information: error code %lu", + GetLastError()); + return FALSE; + } + + /* Memory in *ppTokenUser is LocalFree():d by the caller */ + return TRUE; +} + +#endif |