NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commite0e1ef4

committed

Revert Windows service check refactoring, and replace with a different fix.

This reverts commit38bdba5, "Fix andsimplify check for whether we're running as Windows service". It turns outthat older versions of MinGW - like that on buildfarm member narwhal - donot support the CheckTokenMembership() function. This replaces therefactoring with a much smaller fix, to add a check for SE_GROUP_ENABLED topgwin32_is_service().Only apply to back-branches, and keep the refactoring in HEAD. It'sunlikely that anyone is still really using such an old version of MinGW -aside from narwhal - but let's not change the minimum requirements inminor releases.Discussion:https://www.postgresql.org/message-id/16609.1489773427@sss.pgh.pa.usPatch:https://www.postgresql.org/message-id/CAB7nPqSvfu%3DKpJ%3DNX%2BYAHmgAmQdzA7N5h31BjzXeMgczhGCC%2BQ%40mail.gmail.com

1 parent5fdc708 commite0e1ef4Copy full SHA for e0e1ef4

File tree

1 file changed

+136

-38

lines changed

src/backend/port/win32
- security.c

1 file changed

+136

-38

lines changed

`‎src/backend/port/win32/security.c`

Lines changed: 136 additions & 38 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,10 @@`
`14`	`14`	`#include"postgres.h"`
`15`	`15`
`16`	`16`
	`17`	`+staticBOOLpgwin32_get_dynamic_tokeninfo(HANDLEtoken,`
	`18`	`+TOKEN_INFORMATION_CLASSclass,char**InfoBuffer,`
	`19`	`+char*errbuf,interrsize);`
	`20`	`+`
`17`	`21`	`/*`
`18`	`22`	`* Returns nonzero if the current user has administrative privileges,`
`19`	`23`	`* or zero if not.`
`@@ -24,11 +28,33 @@`
`24`	`28`	`int`
`25`	`29`	`pgwin32_is_admin(void)`
`26`	`30`	`{`
	`31`	`+HANDLEAccessToken;`
	`32`	`+char*InfoBuffer=NULL;`
	`33`	`+charerrbuf[256];`
	`34`	`+PTOKEN_GROUPSGroups;`
`27`	`35`	`PSIDAdministratorsSid;`
`28`	`36`	`PSIDPowerUsersSid;`
`29`	`37`	`SID_IDENTIFIER_AUTHORITYNtAuthority= {SECURITY_NT_AUTHORITY};`
`30`		`-BOOLIsAdministrators;`
`31`		`-BOOLIsPowerUsers;`
	`38`	`+UINTx;`
	`39`	`+BOOLsuccess;`
	`40`	`+`
	`41`	`+if (!OpenProcessToken(GetCurrentProcess(),TOKEN_READ,&AccessToken))`
	`42`	`+{`
	`43`	`+write_stderr("could not open process token: error code %lu\n",`
	`44`	`+GetLastError());`
	`45`	`+exit(1);`
	`46`	`+}`
	`47`	`+`
	`48`	`+if (!pgwin32_get_dynamic_tokeninfo(AccessToken,TokenGroups,`
	`49`	`+&InfoBuffer,errbuf,sizeof(errbuf)))`
	`50`	`+{`
	`51`	`+write_stderr("%s",errbuf);`
	`52`	`+exit(1);`
	`53`	`+}`
	`54`	`+`
	`55`	`+Groups= (PTOKEN_GROUPS)InfoBuffer;`
	`56`	`+`
	`57`	`+CloseHandle(AccessToken);`
`32`	`58`
`33`	`59`	`if (!AllocateAndInitializeSid(&NtAuthority,2,`
`34`	`60`	`SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_ALIAS_RID_ADMINS,0,0,0,0,0,`
`@@ -48,35 +74,32 @@ pgwin32_is_admin(void)`
`48`	`74`	`exit(1);`
`49`	`75`	`}`
`50`	`76`
`51`		`-if (!CheckTokenMembership(NULL,AdministratorsSid,&IsAdministrators)\|\|`
`52`		`-!CheckTokenMembership(NULL,PowerUsersSid,&IsPowerUsers))`
	`77`	`+success= FALSE;`
	`78`	`+`
	`79`	`+for (x=0;x<Groups->GroupCount;x++)`
`53`	`80`	`{`
`54`		`-write_stderr("could not check access token membership: error code %lu\n",`
`55`		`-GetLastError());`
`56`		`-exit(1);`
	`81`	`+if ((EqualSid(AdministratorsSid,Groups->Groups[x].Sid)&& (Groups->Groups[x].Attributes&SE_GROUP_ENABLED))\|\|`
	`82`	`+(EqualSid(PowerUsersSid,Groups->Groups[x].Sid)&& (Groups->Groups[x].Attributes&SE_GROUP_ENABLED)))`
	`83`	`+{`
	`84`	`+success= TRUE;`
	`85`	`+break;`
	`86`	`+}`
`57`	`87`	`}`
`58`	`88`
	`89`	`+free(InfoBuffer);`
`59`	`90`	`FreeSid(AdministratorsSid);`
`60`	`91`	`FreeSid(PowerUsersSid);`
`61`		`-`
`62`		`-if (IsAdministrators\|\|IsPowerUsers)`
`63`		`-return1;`
`64`		`-else`
`65`		`-return0;`
	`92`	`+returnsuccess;`
`66`	`93`	`}`
`67`	`94`
`68`	`95`	`/*`
`69`	`96`	`* We consider ourselves running as a service if one of the following is`
`70`	`97`	`* true:`
`71`	`98`	`*`
`72`		`- * 1) We are running asLocalSystem (only used by services)`
	`99`	`+ * 1) We are running asLocal System (only used by services)`
`73`	`100`	`* 2) Our token contains SECURITY_SERVICE_RID (automatically added to the`
`74`	`101`	`* process token by the SCM when starting a service)`
`75`	`102`	`*`
`76`		`- * The check for LocalSystem is needed, because surprisingly, if a service`
`77`		`- * is running as LocalSystem, it does not have SECURITY_SERVICE_RID in its`
`78`		`- * process token.`
`79`		`- *`
`80`	`103`	`* Return values:`
`81`	`104`	`* 0 = Not service`
`82`	`105`	`* 1 = Service`
`@@ -90,62 +113,137 @@ int`
`90`	`113`	`pgwin32_is_service(void)`
`91`	`114`	`{`
`92`	`115`	`staticint_is_service=-1;`
`93`		`-BOOLIsMember;`
	`116`	`+HANDLEAccessToken;`
	`117`	`+char*InfoBuffer=NULL;`
	`118`	`+charerrbuf[256];`
	`119`	`+PTOKEN_GROUPSGroups;`
	`120`	`+PTOKEN_USERUser;`
`94`	`121`	`PSIDServiceSid;`
`95`	`122`	`PSIDLocalSystemSid;`
`96`	`123`	`SID_IDENTIFIER_AUTHORITYNtAuthority= {SECURITY_NT_AUTHORITY};`
	`124`	`+UINTx;`
`97`	`125`
`98`	`126`	`/* Only check the first time */`
`99`	`127`	`if (_is_service!=-1)`
`100`	`128`	`return_is_service;`
`101`	`129`
`102`		`-/* First check for LocalSystem */`
	`130`	`+if (!OpenProcessToken(GetCurrentProcess(),TOKEN_READ,&AccessToken))`
	`131`	`+{`
	`132`	`+fprintf(stderr,"could not open process token: error code %lu\n",`
	`133`	`+GetLastError());`
	`134`	`+return-1;`
	`135`	`+}`
	`136`	`+`
	`137`	`+/* First check for local system */`
	`138`	`+if (!pgwin32_get_dynamic_tokeninfo(AccessToken,TokenUser,&InfoBuffer,`
	`139`	`+errbuf,sizeof(errbuf)))`
	`140`	`+{`
	`141`	`+fprintf(stderr,"%s",errbuf);`
	`142`	`+return-1;`
	`143`	`+}`
	`144`	`+`
	`145`	`+User= (PTOKEN_USER)InfoBuffer;`
	`146`	`+`
`103`	`147`	`if (!AllocateAndInitializeSid(&NtAuthority,1,`
`104`	`148`	`SECURITY_LOCAL_SYSTEM_RID,0,0,0,0,0,0,0,`
`105`	`149`	`&LocalSystemSid))`
`106`	`150`	`{`
`107`	`151`	`fprintf(stderr,"could not get SID for local system account\n");`
	`152`	`+CloseHandle(AccessToken);`
`108`	`153`	`return-1;`
`109`	`154`	`}`
`110`	`155`
`111`		`-if (!CheckTokenMembership(NULL,LocalSystemSid,&IsMember))`
	`156`	`+if (EqualSid(LocalSystemSid,User->User.Sid))`
`112`	`157`	`{`
`113`		`-fprintf(stderr,"could not check access token membership: error code %lu\n",`
`114`		`-GetLastError());`
`115`	`158`	`FreeSid(LocalSystemSid);`
`116`		`-return-1;`
	`159`	`+free(InfoBuffer);`
	`160`	`+CloseHandle(AccessToken);`
	`161`	`+_is_service=1;`
	`162`	`+return_is_service;`
`117`	`163`	`}`
	`164`	`+`
`118`	`165`	`FreeSid(LocalSystemSid);`
	`166`	`+free(InfoBuffer);`
`119`	`167`
`120`		`-if (IsMember)`
	`168`	`+/* Now check for group SID */`
	`169`	`+if (!pgwin32_get_dynamic_tokeninfo(AccessToken,TokenGroups,&InfoBuffer,`
	`170`	`+errbuf,sizeof(errbuf)))`
`121`	`171`	`{`
`122`		`-_is_service=1;`
`123`		`-return_is_service;`
	`172`	`+fprintf(stderr,"%s",errbuf);`
	`173`	`+return-1;`
`124`	`174`	`}`
`125`	`175`
`126`		`-/* Check for service group membership */`
	`176`	`+Groups= (PTOKEN_GROUPS)InfoBuffer;`
	`177`	`+`
`127`	`178`	`if (!AllocateAndInitializeSid(&NtAuthority,1,`
`128`	`179`	`SECURITY_SERVICE_RID,0,0,0,0,0,0,0,`
`129`	`180`	`&ServiceSid))`
`130`	`181`	`{`
`131`		`-fprintf(stderr,"could not get SID for service group: error code %lu\n",`
`132`		`-GetLastError());`
	`182`	`+fprintf(stderr,"could not get SID for service group\n");`
	`183`	`+free(InfoBuffer);`
	`184`	`+CloseHandle(AccessToken);`
`133`	`185`	`return-1;`
`134`	`186`	`}`
`135`	`187`
`136`		`-if (!CheckTokenMembership(NULL,ServiceSid,&IsMember))`
	`188`	`+_is_service=0;`
	`189`	`+for (x=0;x<Groups->GroupCount;x++)`
`137`	`190`	`{`
`138`		`-fprintf(stderr,"could not check access token membership: error code %lu\n",`
`139`		`-GetLastError());`
`140`		`-FreeSid(ServiceSid);`
`141`		`-return-1;`
	`191`	`+if (EqualSid(ServiceSid,Groups->Groups[x].Sid)&&`
	`192`	`+(Groups->Groups[x].Attributes&SE_GROUP_ENABLED))`
	`193`	`+{`
	`194`	`+_is_service=1;`
	`195`	`+break;`
	`196`	`+}`
`142`	`197`	`}`
	`198`	`+`
	`199`	`+free(InfoBuffer);`
`143`	`200`	`FreeSid(ServiceSid);`
`144`	`201`
`145`		`-if (IsMember)`
`146`		`-_is_service=1;`
`147`		`-else`
`148`		`-_is_service=0;`
	`202`	`+CloseHandle(AccessToken);`
`149`	`203`
`150`	`204`	`return_is_service;`
`151`	`205`	`}`
	`206`	`+`
	`207`	`+`
	`208`	`+/*`
	`209`	`+ * Call GetTokenInformation() on a token and return a dynamically sized`
	`210`	`+ * buffer with the information in it. This buffer must be free():d by`
	`211`	`+ * the calling function!`
	`212`	`+ */`
	`213`	`+staticBOOL`
	`214`	`+pgwin32_get_dynamic_tokeninfo(HANDLEtoken,TOKEN_INFORMATION_CLASSclass,`
	`215`	`+char*InfoBuffer,charerrbuf,interrsize)`
	`216`	`+{`
	`217`	`+DWORDInfoBufferSize;`
	`218`	`+`
	`219`	`+if (GetTokenInformation(token,class,NULL,0,&InfoBufferSize))`
	`220`	`+{`
	`221`	`+snprintf(errbuf,errsize,"could not get token information: got zero size\n");`
	`222`	`+return FALSE;`
	`223`	`+}`
	`224`	`+`
	`225`	`+if (GetLastError()!=ERROR_INSUFFICIENT_BUFFER)`
	`226`	`+{`
	`227`	`+snprintf(errbuf,errsize,"could not get token information: error code %lu\n",`
	`228`	`+GetLastError());`
	`229`	`+return FALSE;`
	`230`	`+}`
	`231`	`+`
	`232`	`+*InfoBuffer=malloc(InfoBufferSize);`
	`233`	`+if (*InfoBuffer==NULL)`
	`234`	`+{`
	`235`	`+snprintf(errbuf,errsize,"could not allocate %d bytes for token information\n",`
	`236`	`+ (int)InfoBufferSize);`
	`237`	`+return FALSE;`
	`238`	`+}`
	`239`	`+`
	`240`	`+if (!GetTokenInformation(token,class,*InfoBuffer,`
	`241`	`+InfoBufferSize,&InfoBufferSize))`
	`242`	`+{`
	`243`	`+snprintf(errbuf,errsize,"could not get token information: error code %lu\n",`
	`244`	`+GetLastError());`
	`245`	`+return FALSE;`
	`246`	`+}`
	`247`	`+`
	`248`	`+return TRUE;`
	`249`	`+}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commite0e1ef4

File tree

1 file changed

1 file changed

`‎src/backend/port/win32/security.c`

0 commit comments