| /*------------------------------------------------------------------------- |
| * |
| * exec.c |
| * Functions for finding and validating executable files |
| * |
| * |
| * Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group |
| * Portions Copyright (c) 1994, Regents of the University of California |
| * |
| * |
| * IDENTIFICATION |
| * src/common/exec.c |
| * |
| *------------------------------------------------------------------------- |
| */ |
| |
| /* |
| * On macOS, "man realpath" avers: |
| * Defining _DARWIN_C_SOURCE or _DARWIN_BETTER_REALPATH before including |
| * stdlib.h will cause the provided implementation of realpath() to use |
| * F_GETPATH from fcntl(2) to discover the path. |
| * This should be harmless everywhere else. |
| */ |
| #define _DARWIN_BETTER_REALPATH |
| |
| #ifndef FRONTEND |
| #include "postgres.h" |
| #else |
| #include "postgres_fe.h" |
| #endif |
| |
| #include <signal.h> |
| #include <sys/stat.h> |
| #include <sys/wait.h> |
| #include <unistd.h> |
| |
| /* Inhibit mingw CRT's auto-globbing of command line arguments */ |
| #if defined(WIN32) && !defined(_MSC_VER) |
| extern int _CRT_glob = 0; /* 0 turns off globbing; 1 turns it on */ |
| |
| #endif |
| |
| /* |
| * Hacky solution to allow expressing both frontend and backend error reports |
| * in one macro call. First argument of log_error is an errcode() call of |
| * some sort (ignored if FRONTEND); the rest are errmsg_internal() arguments, |
| * i.e. message string and any parameters for it. |
| * |
| * Caller must provide the gettext wrapper around the message string, if |
| * appropriate, so that it gets translated in the FRONTEND case; this |
| * motivates using errmsg_internal() not errmsg(). We handle appending a |
| * newline, if needed, inside the macro, so that there's only one translatable |
| * string per call not two. |
| */ |
| #ifndef FRONTEND |
| #define log_error(errcodefn, ...) \ |
| ereport(LOG, (errcodefn, errmsg_internal(__VA_ARGS__))) |
| #else |
| #define log_error(errcodefn, ...) \ |
| (fprintf(stderr, __VA_ARGS__), fputc('\n', stderr)) |
| #endif |
| |
| static int normalize_exec_path(char *path); |
| static char *pg_realpath(const char *fname); |
| |
| #ifdef WIN32 |
| static BOOL GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser); |
| #endif |
| |
| /* |
| * validate_exec -- validate "path" as an executable file |
| * |
| * returns 0 if the file is found and no error is encountered. |
| * -1 if the regular file "path" does not exist or cannot be executed. |
| * -2 if the file is otherwise valid but cannot be read. |
| * in the failure cases, errno is set appropriately |
| */ |
| int |
| validate_exec(const char *path) |
| { |
| struct stat buf; |
| int is_r; |
| int is_x; |
| |
| #ifdef WIN32 |
| char path_exe[MAXPGPATH + sizeof(".exe") - 1]; |
| |
| /* Win32 requires a .exe suffix for stat() */ |
| if (strlen(path) < strlen(".exe") || |
| pg_strcasecmp(path + strlen(path) - strlen(".exe"), ".exe") != 0) |
| { |
| strlcpy(path_exe, path, sizeof(path_exe) - 4); |
| strcat(path_exe, ".exe"); |
| path = path_exe; |
| } |
| #endif |
| |
| /* |
| * Ensure that the file exists and is a regular file. |
| * |
| * XXX if you have a broken system where stat() looks at the symlink |
| * instead of the underlying file, you lose. |
| */ |
| if (stat(path, &buf) < 0) |
| return -1; |
| |
| if (!S_ISREG(buf.st_mode)) |
| { |
| /* |
| * POSIX offers no errno code that's simply "not a regular file". If |
| * it's a directory we can use EISDIR. Otherwise, it's most likely a |
| * device special file, and EPERM (Operation not permitted) isn't too |
| * horribly off base. |
| */ |
| errno = S_ISDIR(buf.st_mode) ? EISDIR : EPERM; |
| return -1; |
| } |
| |
| /* |
| * Ensure that the file is both executable and readable (required for |
| * dynamic loading). |
| */ |
| #ifndef WIN32 |
| is_r = (access(path, R_OK) == 0); |
| is_x = (access(path, X_OK) == 0); |
| /* access() will set errno if it returns -1 */ |
| #else |
| is_r = buf.st_mode & S_IRUSR; |
| is_x = buf.st_mode & S_IXUSR; |
| errno = EACCES; /* appropriate thing if we return nonzero */ |
| #endif |
| return is_x ? (is_r ? 0 : -2) : -1; |
| } |
| |
| |
| /* |
| * find_my_exec -- find an absolute path to this program's executable |
| * |
| * argv0 is the name passed on the command line |
| * retpath is the output area (must be of size MAXPGPATH) |
| * Returns 0 if OK, -1 if error. |
| * |
| * The reason we have to work so hard to find an absolute path is that |
| * on some platforms we can't do dynamic loading unless we know the |
| * executable's location. Also, we need an absolute path not a relative |
| * path because we may later change working directory. Finally, we want |
| * a true path not a symlink location, so that we can locate other files |
| * that are part of our installation relative to the executable. |
| */ |
| int |
| find_my_exec(const char *argv0, char *retpath) |
| { |
| char *path; |
| |
| /* |
| * If argv0 contains a separator, then PATH wasn't used. |
| */ |
| strlcpy(retpath, argv0, MAXPGPATH); |
| if (first_dir_separator(retpath) != NULL) |
| { |
| if (validate_exec(retpath) == 0) |
| return normalize_exec_path(retpath); |
| |
| log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE), |
| _("invalid binary \"%s\": %m"), retpath); |
| return -1; |
| } |
| |
| #ifdef WIN32 |
| /* Win32 checks the current directory first for names without slashes */ |
| if (validate_exec(retpath) == 0) |
| return normalize_exec_path(retpath); |
| #endif |
| |
| /* |
| * Since no explicit path was supplied, the user must have been relying on |
| * PATH. We'll search the same PATH. |
| */ |
| if ((path = getenv("PATH")) && *path) |
| { |
| char *startp = NULL, |
| *endp = NULL; |
| |
| do |
| { |
| if (!startp) |
| startp = path; |
| else |
| startp = endp + 1; |
| |
| endp = first_path_var_separator(startp); |
| if (!endp) |
| endp = startp + strlen(startp); /* point to end */ |
| |
| strlcpy(retpath, startp, Min(endp - startp + 1, MAXPGPATH)); |
| |
| join_path_components(retpath, retpath, argv0); |
| canonicalize_path(retpath); |
| |
| switch (validate_exec(retpath)) |
| { |
| case 0: /* found ok */ |
| return normalize_exec_path(retpath); |
| case -1: /* wasn't even a candidate, keep looking */ |
| break; |
| case -2: /* found but disqualified */ |
| log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE), |
| _("could not read binary \"%s\": %m"), |
| retpath); |
| break; |
| } |
| } while (*endp); |
| } |
| |
| log_error(errcode(ERRCODE_UNDEFINED_FILE), |
| _("could not find a \"%s\" to execute"), argv0); |
| return -1; |
| } |
| |
| |
| /* |
| * normalize_exec_path - resolve symlinks and convert to absolute path |
| * |
| * Given a path that refers to an executable, chase through any symlinks |
| * to find the real file location; then convert that to an absolute path. |
| * |
| * On success, replaces the contents of "path" with the absolute path. |
| * ("path" is assumed to be of size MAXPGPATH.) |
| * Returns 0 if OK, -1 if error. |
| */ |
| static int |
| normalize_exec_path(char *path) |
| { |
| /* |
| * We used to do a lot of work ourselves here, but now we just let |
| * realpath(3) do all the heavy lifting. |
| */ |
| char *abspath = pg_realpath(path); |
| |
| if (abspath == NULL) |
| { |
| log_error(errcode_for_file_access(), |
| _("could not resolve path \"%s\" to absolute form: %m"), |
| path); |
| return -1; |
| } |
| strlcpy(path, abspath, MAXPGPATH); |
| free(abspath); |
| |
| #ifdef WIN32 |
| /* On Windows, be sure to convert '\' to '/' */ |
| canonicalize_path(path); |
| #endif |
| |
| return 0; |
| } |
| |
| |
| /* |
| * pg_realpath() - realpath(3) with POSIX.1-2008 semantics |
| * |
| * This is equivalent to realpath(fname, NULL), in that it returns a |
| * malloc'd buffer containing the absolute path equivalent to fname. |
| * On error, returns NULL with errno set. |
| * |
| * On Windows, what you get is spelled per platform conventions, |
| * so you probably want to apply canonicalize_path() to the result. |
| * |
| * For now, this is needed only here so mark it static. If you choose to |
| * move it into its own file, move the _DARWIN_BETTER_REALPATH #define too! |
| */ |
| static char * |
| pg_realpath(const char *fname) |
| { |
| char *path; |
| |
| #ifndef WIN32 |
| path = realpath(fname, NULL); |
| if (path == NULL && errno == EINVAL) |
| { |
| /* |
| * Cope with old-POSIX systems that require a user-provided buffer. |
| * Assume MAXPGPATH is enough room on all such systems. |
| */ |
| char *buf = malloc(MAXPGPATH); |
| |
| if (buf == NULL) |
| return NULL; /* assume errno is set */ |
| path = realpath(fname, buf); |
| if (path == NULL) /* don't leak memory */ |
| { |
| int save_errno = errno; |
| |
| free(buf); |
| errno = save_errno; |
| } |
| } |
| #else /* WIN32 */ |
| |
| /* |
| * Microsoft is resolutely non-POSIX, but _fullpath() does the same thing. |
| * The documentation claims it reports errors by setting errno, which is a |
| * bit surprising for Microsoft, but we'll believe that until it's proven |
| * wrong. Clear errno first, though, so we can at least tell if a failure |
| * occurs and doesn't set it. |
| */ |
| errno = 0; |
| path = _fullpath(NULL, fname, 0); |
| #endif |
| |
| return path; |
| } |
| |
| |
| /* |
| * Find another program in our binary's directory, |
| * then make sure it is the proper version. |
| */ |
| int |
| find_other_exec(const char *argv0, const char *target, |
| const char *versionstr, char *retpath) |
| { |
| char cmd[MAXPGPATH]; |
| char line[MAXPGPATH]; |
| |
| if (find_my_exec(argv0, retpath) < 0) |
| return -1; |
| |
| /* Trim off program name and keep just directory */ |
| *last_dir_separator(retpath) = '\0'; |
| canonicalize_path(retpath); |
| |
| /* Now append the other program's name */ |
| snprintf(retpath + strlen(retpath), MAXPGPATH - strlen(retpath), |
| "/%s%s", target, EXE); |
| |
| if (validate_exec(retpath) != 0) |
| return -1; |
| |
| snprintf(cmd, sizeof(cmd), "\"%s\" -V", retpath); |
| |
| if (!pipe_read_line(cmd, line, sizeof(line))) |
| return -1; |
| |
| if (strcmp(line, versionstr) != 0) |
| return -2; |
| |
| return 0; |
| } |
| |
| |
| /* |
| * Execute a command in a pipe and read the first line from it. |
| */ |
| char * |
| pipe_read_line(char *cmd, char *line, int maxsize) |
| { |
| FILE *pgver; |
| |
| fflush(NULL); |
| |
| errno = 0; |
| if ((pgver = popen(cmd, "r")) == NULL) |
| { |
| perror("popen failure"); |
| return NULL; |
| } |
| |
| errno = 0; |
| if (fgets(line, maxsize, pgver) == NULL) |
| { |
| if (feof(pgver)) |
| fprintf(stderr, "no data was returned by command \"%s\"\n", cmd); |
| else |
| perror("fgets failure"); |
| pclose(pgver); /* no error checking */ |
| return NULL; |
| } |
| |
| if (pclose_check(pgver)) |
| return NULL; |
| |
| return line; |
| } |
| |
| |
| /* |
| * pclose() plus useful error reporting |
| */ |
| int |
| pclose_check(FILE *stream) |
| { |
| int exitstatus; |
| char *reason; |
| |
| exitstatus = pclose(stream); |
| |
| if (exitstatus == 0) |
| return 0; /* all is well */ |
| |
| if (exitstatus == -1) |
| { |
| /* pclose() itself failed, and hopefully set errno */ |
| log_error(errcode(ERRCODE_SYSTEM_ERROR), |
| _("%s() failed: %m"), "pclose"); |
| } |
| else |
| { |
| reason = wait_result_to_str(exitstatus); |
| log_error(errcode(ERRCODE_SYSTEM_ERROR), |
| "%s", reason); |
| pfree(reason); |
| } |
| return exitstatus; |
| } |
| |
| /* |
| * set_pglocale_pgservice |
| * |
| * Set application-specific locale and service directory |
| * |
| * This function takes the value of argv[0] rather than a full path. |
| * |
| * (You may be wondering why this is in exec.c. It requires this module's |
| * services and doesn't introduce any new dependencies, so this seems as |
| * good as anyplace.) |
| */ |
| void |
| set_pglocale_pgservice(const char *argv0, const char *app) |
| { |
| char path[MAXPGPATH]; |
| char my_exec_path[MAXPGPATH]; |
| |
| /* don't set LC_ALL in the backend */ |
| if (strcmp(app, PG_TEXTDOMAIN("postgres")) != 0) |
| { |
| setlocale(LC_ALL, ""); |
| |
| /* |
| * One could make a case for reproducing here PostmasterMain()'s test |
| * for whether the process is multithreaded. Unlike the postmaster, |
| * no frontend program calls sigprocmask() or otherwise provides for |
| * mutual exclusion between signal handlers. While frontends using |
| * fork(), if multithreaded, are formally exposed to undefined |
| * behavior, we have not witnessed a concrete bug. Therefore, |
| * complaining about multithreading here may be mere pedantry. |
| */ |
| } |
| |
| if (find_my_exec(argv0, my_exec_path) < 0) |
| return; |
| |
| #ifdef ENABLE_NLS |
| get_locale_path(my_exec_path, path); |
| bindtextdomain(app, path); |
| textdomain(app); |
| /* set for libpq to use, but don't override existing setting */ |
| setenv("PGLOCALEDIR", path, 0); |
| #endif |
| |
| if (getenv("PGSYSCONFDIR") == NULL) |
| { |
| get_etc_path(my_exec_path, path); |
| /* set for libpq to use */ |
| setenv("PGSYSCONFDIR", path, 0); |
| } |
| } |
| |
| #ifdef EXEC_BACKEND |
| /* |
| * For the benefit of PostgreSQL developers testing EXEC_BACKEND on Unix |
| * systems (code paths normally exercised only on Windows), provide a way to |
| * disable address space layout randomization, if we know how on this platform. |
| * Otherwise, backends may fail to attach to shared memory at the fixed address |
| * chosen by the postmaster. (See also the macOS-specific hack in |
| * sysv_shmem.c.) |
| */ |
| int |
| pg_disable_aslr(void) |
| { |
| #if defined(HAVE_SYS_PERSONALITY_H) |
| return personality(ADDR_NO_RANDOMIZE); |
| #elif defined(HAVE_SYS_PROCCTL_H) && defined(PROC_ASLR_FORCE_DISABLE) |
| int data = PROC_ASLR_FORCE_DISABLE; |
| |
| return procctl(P_PID, 0, PROC_ASLR_CTL, &data); |
| #else |
| errno = ENOSYS; |
| return -1; |
| #endif |
| } |
| #endif |
| |
| #ifdef WIN32 |
| |
| /* |
| * AddUserToTokenDacl(HANDLE hToken) |
| * |
| * This function adds the current user account to the restricted |
| * token used when we create a restricted process. |
| * |
| * This is required because of some security changes in Windows |
| * that appeared in patches to XP/2K3 and in Vista/2008. |
| * |
| * On these machines, the Administrator account is not included in |
| * the default DACL - you just get Administrators + System. For |
| * regular users you get User + System. Because we strip Administrators |
| * when we create the restricted token, we are left with only System |
| * in the DACL which leads to access denied errors for later CreatePipe() |
| * and CreateProcess() calls when running as Administrator. |
| * |
| * This function fixes this problem by modifying the DACL of the |
| * token the process will use, and explicitly re-adding the current |
| * user account. This is still secure because the Administrator account |
| * inherits its privileges from the Administrators group - it doesn't |
| * have any of its own. |
| */ |
| BOOL |
| AddUserToTokenDacl(HANDLE hToken) |
| { |
| int i; |
| ACL_SIZE_INFORMATION asi; |
| ACCESS_ALLOWED_ACE *pace; |
| DWORD dwNewAclSize; |
| DWORD dwSize = 0; |
| DWORD dwTokenInfoLength = 0; |
| PACL pacl = NULL; |
| PTOKEN_USER pTokenUser = NULL; |
| TOKEN_DEFAULT_DACL tddNew; |
| TOKEN_DEFAULT_DACL *ptdd = NULL; |
| TOKEN_INFORMATION_CLASS tic = TokenDefaultDacl; |
| BOOL ret = FALSE; |
| |
| /* Figure out the buffer size for the DACL info */ |
| if (!GetTokenInformation(hToken, tic, (LPVOID) NULL, dwTokenInfoLength, &dwSize)) |
| { |
| if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) |
| { |
| ptdd = (TOKEN_DEFAULT_DACL *) LocalAlloc(LPTR, dwSize); |
| if (ptdd == NULL) |
| { |
| log_error(errcode(ERRCODE_OUT_OF_MEMORY), |
| _("out of memory")); |
| goto cleanup; |
| } |
| |
| if (!GetTokenInformation(hToken, tic, (LPVOID) ptdd, dwSize, &dwSize)) |
| { |
| log_error(errcode(ERRCODE_SYSTEM_ERROR), |
| "could not get token information: error code %lu", |
| GetLastError()); |
| goto cleanup; |
| } |
| } |
| else |
| { |
| log_error(errcode(ERRCODE_SYSTEM_ERROR), |
| "could not get token information buffer size: error code %lu", |
| GetLastError()); |
| goto cleanup; |
| } |
| } |
| |
| /* Get the ACL info */ |
| if (!GetAclInformation(ptdd->DefaultDacl, (LPVOID) &asi, |
| (DWORD) sizeof(ACL_SIZE_INFORMATION), |
| AclSizeInformation)) |
| { |
| log_error(errcode(ERRCODE_SYSTEM_ERROR), |
| "could not get ACL information: error code %lu", |
| GetLastError()); |
| goto cleanup; |
| } |
| |
| /* Get the current user SID */ |
| if (!GetTokenUser(hToken, &pTokenUser)) |
| goto cleanup; /* callee printed a message */ |
| |
| /* Figure out the size of the new ACL */ |
| dwNewAclSize = asi.AclBytesInUse + sizeof(ACCESS_ALLOWED_ACE) + |
| GetLengthSid(pTokenUser->User.Sid) - sizeof(DWORD); |
| |
| /* Allocate the ACL buffer & initialize it */ |
| pacl = (PACL) LocalAlloc(LPTR, dwNewAclSize); |
| if (pacl == NULL) |
| { |
| log_error(errcode(ERRCODE_OUT_OF_MEMORY), |
| _("out of memory")); |
| goto cleanup; |
| } |
| |
| if (!InitializeAcl(pacl, dwNewAclSize, ACL_REVISION)) |
| { |
| log_error(errcode(ERRCODE_SYSTEM_ERROR), |
| "could not initialize ACL: error code %lu", GetLastError()); |
| goto cleanup; |
| } |
| |
| /* Loop through the existing ACEs, and build the new ACL */ |
| for (i = 0; i < (int) asi.AceCount; i++) |
| { |
| if (!GetAce(ptdd->DefaultDacl, i, (LPVOID *) &pace)) |
| { |
| log_error(errcode(ERRCODE_SYSTEM_ERROR), |
| "could not get ACE: error code %lu", GetLastError()); |
| goto cleanup; |
| } |
| |
| if (!AddAce(pacl, ACL_REVISION, MAXDWORD, pace, ((PACE_HEADER) pace)->AceSize)) |
| { |
| log_error(errcode(ERRCODE_SYSTEM_ERROR), |
| "could not add ACE: error code %lu", GetLastError()); |
| goto cleanup; |
| } |
| } |
| |
| /* Add the new ACE for the current user */ |
| if (!AddAccessAllowedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE, GENERIC_ALL, pTokenUser->User.Sid)) |
| { |
| log_error(errcode(ERRCODE_SYSTEM_ERROR), |
| "could not add access allowed ACE: error code %lu", |
| GetLastError()); |
| goto cleanup; |
| } |
| |
| /* Set the new DACL in the token */ |
| tddNew.DefaultDacl = pacl; |
| |
| if (!SetTokenInformation(hToken, tic, (LPVOID) &tddNew, dwNewAclSize)) |
| { |
| log_error(errcode(ERRCODE_SYSTEM_ERROR), |
| "could not set token information: error code %lu", |
| GetLastError()); |
| goto cleanup; |
| } |
| |
| ret = TRUE; |
| |
| cleanup: |
| if (pTokenUser) |
| LocalFree((HLOCAL) pTokenUser); |
| |
| if (pacl) |
| LocalFree((HLOCAL) pacl); |
| |
| if (ptdd) |
| LocalFree((HLOCAL) ptdd); |
| |
| return ret; |
| } |
| |
| /* |
| * GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser) |
| * |
| * Get the users token information from a process token. |
| * |
| * The caller of this function is responsible for calling LocalFree() on the |
| * returned TOKEN_USER memory. |
| */ |
| static BOOL |
| GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser) |
| { |
| DWORD dwLength; |
| |
| *ppTokenUser = NULL; |
| |
| if (!GetTokenInformation(hToken, |
| TokenUser, |
| NULL, |
| 0, |
| &dwLength)) |
| { |
| if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) |
| { |
| *ppTokenUser = (PTOKEN_USER) LocalAlloc(LPTR, dwLength); |
| |
| if (*ppTokenUser == NULL) |
| { |
| log_error(errcode(ERRCODE_OUT_OF_MEMORY), |
| _("out of memory")); |
| return FALSE; |
| } |
| } |
| else |
| { |
| log_error(errcode(ERRCODE_SYSTEM_ERROR), |
| "could not get token information buffer size: error code %lu", |
| GetLastError()); |
| return FALSE; |
| } |
| } |
| |
| if (!GetTokenInformation(hToken, |
| TokenUser, |
| *ppTokenUser, |
| dwLength, |
| &dwLength)) |
| { |
| LocalFree(*ppTokenUser); |
| *ppTokenUser = NULL; |
| |
| log_error(errcode(ERRCODE_SYSTEM_ERROR), |
| "could not get token information: error code %lu", |
| GetLastError()); |
| return FALSE; |
| } |
| |
| /* Memory in *ppTokenUser is LocalFree():d by the caller */ |
| return TRUE; |
| } |
| |
| #endif |
