Loading...
Searching...
No Matches
#include "postgres.h"#include <signal.h>#include <sys/stat.h>#include <sys/wait.h>#include <unistd.h>#include "common/string.h"
Include dependency graph for exec.c:
Go to the source code of this file.
Macros | |
| #define | _DARWIN_BETTER_REALPATH |
| #define | log_error(errcodefn, ...) ereport(LOG, (errcodefn, errmsg_internal(__VA_ARGS__))) |
Functions | |
| static int | normalize_exec_path (char *path) |
| static char * | pg_realpath (const char *fname) |
| int | validate_exec (const char *path) |
| int | find_my_exec (const char *argv0, char *retpath) |
| int | find_other_exec (const char *argv0, const char *target, const char *versionstr, char *retpath) |
| char * | pipe_read_line (char *cmd) |
| int | pclose_check (FILE *stream) |
| void | set_pglocale_pgservice (const char *argv0, const char *app) |
Macro Definition Documentation
◆ _DARWIN_BETTER_REALPATH
◆ log_error
| #define log_error | ( | errcodefn, | |
| ... | |||
| ) | ereport(LOG, (errcodefn, errmsg_internal(__VA_ARGS__))) |
Definition at line 66 of file exec.c.
90{
94
95#ifdef WIN32
97
98 /* Win32 requires a .exe suffix for stat() */
101 {
104 path = path_exe;
105 }
106#endif
107
108 /*
109 * Ensure that the file exists and is a regular file.
110 *
111 * XXX if you have a broken system where stat() looks at the symlink
112 * instead of the underlying file, you lose.
113 */
115 return -1;
116
118 {
119 /*
120 * POSIX offers no errno code that's simply "not a regular file". If
121 * it's a directory we can use EISDIR. Otherwise, it's most likely a
122 * device special file, and EPERM (Operation not permitted) isn't too
123 * horribly off base.
124 */
126 return -1;
127 }
128
129 /*
130 * Ensure that the file is both executable and readable (required for
131 * dynamic loading).
132 */
133#ifndef WIN32
136 /* access() will set errno if it returns -1 */
137#else
141#endif
143}
144
145
146/*
147 * find_my_exec -- find an absolute path to this program's executable
148 *
149 * argv0 is the name passed on the command line
150 * retpath is the output area (must be of size MAXPGPATH)
151 * Returns 0 if OK, -1 if error.
152 *
153 * The reason we have to work so hard to find an absolute path is that
154 * on some platforms we can't do dynamic loading unless we know the
155 * executable's location. Also, we need an absolute path not a relative
156 * path because we may later change working directory. Finally, we want
157 * a true path not a symlink location, so that we can locate other files
158 * that are part of our installation relative to the executable.
159 */
160int
162{
163 char *path;
164
165 /*
166 * If argv0 contains a separator, then PATH wasn't used.
167 */
170 {
173
176 return -1;
177 }
178
179#ifdef WIN32
180 /* Win32 checks the current directory first for names without slashes */
183#endif
184
185 /*
186 * Since no explicit path was supplied, the user must have been relying on
187 * PATH. We'll search the same PATH.
188 */
190 {
193
194 do
195 {
197 startp = path;
198 else
200
204
206
209
211 {
212 case 0: /* found ok */
214 case -1: /* wasn't even a candidate, keep looking */
215 break;
216 case -2: /* found but disqualified */
219 retpath);
220 break;
221 }
223 }
224
227 return -1;
228}
229
230
231/*
232 * normalize_exec_path - resolve symlinks and convert to absolute path
233 *
234 * Given a path that refers to an executable, chase through any symlinks
235 * to find the real file location; then convert that to an absolute path.
236 *
237 * On success, replaces the contents of "path" with the absolute path.
238 * ("path" is assumed to be of size MAXPGPATH.)
239 * Returns 0 if OK, -1 if error.
240 */
241static int
243{
244 /*
245 * We used to do a lot of work ourselves here, but now we just let
246 * realpath(3) do all the heavy lifting.
247 */
249
251 {
254 path);
255 return -1;
256 }
259
260#ifdef WIN32
261 /* On Windows, be sure to convert '\' to '/' */
262 canonicalize_path(path);
263#endif
264
265 return 0;
266}
267
268
269/*
270 * pg_realpath() - realpath(3) with POSIX.1-2008 semantics
271 *
272 * This is equivalent to realpath(fname, NULL), in that it returns a
273 * malloc'd buffer containing the absolute path equivalent to fname.
274 * On error, returns NULL with errno set.
275 *
276 * On Windows, what you get is spelled per platform conventions,
277 * so you probably want to apply canonicalize_path() to the result.
278 *
279 * For now, this is needed only here so mark it static. If you choose to
280 * move it into its own file, move the _DARWIN_BETTER_REALPATH #define too!
281 */
282static char *
284{
285 char *path;
286
287#ifndef WIN32
289#else /* WIN32 */
290
291 /*
292 * Microsoft is resolutely non-POSIX, but _fullpath() does the same thing.
293 * The documentation claims it reports errors by setting errno, which is a
294 * bit surprising for Microsoft, but we'll believe that until it's proven
295 * wrong. Clear errno first, though, so we can at least tell if a failure
296 * occurs and doesn't set it.
297 */
298 errno = 0;
300#endif
301
302 return path;
303}
304
305
306/*
307 * Find another program in our binary's directory,
308 * then make sure it is the proper version.
309 */
310int
313{
315 char *line;
316
318 return -1;
319
320 /* Trim off program name and keep just directory */
323
324 /* Now append the other program's name */
327
329 return -1;
330
332
334 return -1;
335
337 {
338 pfree(line);
339 return -2;
340 }
341
342 pfree(line);
343 return 0;
344}
345
346
347/*
348 * Execute a command in a pipe and read the first line from it. The returned
349 * string is palloc'd (malloc'd in frontend code), the caller is responsible
350 * for freeing.
351 */
352char *
354{
356 char *line;
357
359
360 errno = 0;
362 {
366 }
367
368 /* Make sure popen() didn't change errno */
369 errno = 0;
371
373 {
377 else
380 }
381
383
384 return line;
385}
386
387
388/*
389 * pclose() plus useful error reporting
390 */
391int
393{
395 char *reason;
396
398
400 return 0; /* all is well */
401
403 {
404 /* pclose() itself failed, and hopefully set errno */
407 }
408 else
409 {
412 "%s", reason);
413 pfree(reason);
414 }
416}
417
418/*
419 * set_pglocale_pgservice
420 *
421 * Set application-specific locale and service directory
422 *
423 * This function takes the value of argv[0] rather than a full path.
424 *
425 * (You may be wondering why this is in exec.c. It requires this module's
426 * services and doesn't introduce any new dependencies, so this seems as
427 * good as anyplace.)
428 */
429void
431{
434
435 /* don't set LC_ALL in the backend */
437 {
439
440 /*
441 * One could make a case for reproducing here PostmasterMain()'s test
442 * for whether the process is multithreaded. Unlike the postmaster,
443 * no frontend program calls sigprocmask() or otherwise provides for
444 * mutual exclusion between signal handlers. While frontends using
445 * fork(), if multithreaded, are formally exposed to undefined
446 * behavior, we have not witnessed a concrete bug. Therefore,
447 * complaining about multithreading here may be mere pedantry.
448 */
449 }
450
452 return;
453
454#ifdef ENABLE_NLS
458 /* set for libpq to use, but don't override existing setting */
460#endif
461
463 {
465 /* set for libpq to use */
467 }
468}
469
470#ifdef EXEC_BACKEND
471/*
472 * For the benefit of PostgreSQL developers testing EXEC_BACKEND on Unix
473 * systems (code paths normally exercised only on Windows), provide a way to
474 * disable address space layout randomization, if we know how on this platform.
475 * Otherwise, backends may fail to attach to shared memory at the fixed address
476 * chosen by the postmaster. (See also the macOS-specific hack in
477 * sysv_shmem.c.)
478 */
479int
481{
482#if defined(HAVE_SYS_PERSONALITY_H)
484#elif defined(HAVE_SYS_PROCCTL_H) && defined(PROC_ASLR_FORCE_DISABLE)
486
488#else
490 return -1;
491#endif
492}
493#endif
494
495#ifdef WIN32
496
497/*
498 * AddUserToTokenDacl(HANDLE hToken)
499 *
500 * This function adds the current user account to the restricted
501 * token used when we create a restricted process.
502 *
503 * This is required because of some security changes in Windows
504 * that appeared in patches to XP/2K3 and in Vista/2008.
505 *
506 * On these machines, the Administrator account is not included in
507 * the default DACL - you just get Administrators + System. For
508 * regular users you get User + System. Because we strip Administrators
509 * when we create the restricted token, we are left with only System
510 * in the DACL which leads to access denied errors for later CreatePipe()
511 * and CreateProcess() calls when running as Administrator.
512 *
513 * This function fixes this problem by modifying the DACL of the
514 * token the process will use, and explicitly re-adding the current
515 * user account. This is still secure because the Administrator account
516 * inherits its privileges from the Administrators group - it doesn't
517 * have any of its own.
518 */
519BOOL
521{
534
535 /* Figure out the buffer size for the DACL info */
537 {
539 {
542 {
546 }
547
549 {
551 "could not get token information: error code %lu",
552 GetLastError());
554 }
555 }
556 else
557 {
559 "could not get token information buffer size: error code %lu",
560 GetLastError());
562 }
563 }
564
565 /* Get the ACL info */
568 AclSizeInformation))
569 {
571 "could not get ACL information: error code %lu",
572 GetLastError());
574 }
575
576 /* Get the current user SID */
579
580 /* Figure out the size of the new ACL */
583
584 /* Allocate the ACL buffer & initialize it */
587 {
591 }
592
594 {
598 }
599
600 /* Loop through the existing ACEs, and build the new ACL */
602 {
604 {
608 }
609
611 {
615 }
616 }
617
618 /* Add the new ACE for the current user */
619 if (!AddAccessAllowedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE, GENERIC_ALL, pTokenUser->User.Sid))
620 {
622 "could not add access allowed ACE: error code %lu",
623 GetLastError());
625 }
626
627 /* Set the new DACL in the token */
629
631 {
633 "could not set token information: error code %lu",
634 GetLastError());
636 }
637
638 ret = TRUE;
639
640cleanup:
643
646
649
650 return ret;
651}
652
653/*
654 * GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser)
655 *
656 * Get the users token information from a process token.
657 *
658 * The caller of this function is responsible for calling LocalFree() on the
659 * returned TOKEN_USER memory.
660 */
663{
665
667
669 TokenUser,
670 NULL,
671 0,
672 &dwLength))
673 {
675 {
677
679 {
683 }
684 }
685 else
686 {
688 "could not get token information buffer size: error code %lu",
689 GetLastError());
691 }
692 }
693
695 TokenUser,
696 *ppTokenUser,
697 dwLength,
698 &dwLength))
699 {
702
704 "could not get token information: error code %lu",
705 GetLastError());
707 }
708
709 /* Memory in *ppTokenUser is LocalFree():d by the caller */
711}
712
713#endif
void set_pglocale_pgservice(const char *argv0, const char *app)
Definition exec.c:430
int find_other_exec(const char *argv0, const char *target, const char *versionstr, char *retpath)
Definition exec.c:311
char * pg_get_line(FILE *stream, PromptInterruptContext *prompt_ctx)
Definition pg_get_line.c:59
void join_path_components(char *ret_path, const char *head, const char *tail)
Definition path.c:286
Definition win32_port.h:255
BOOL AddUserToTokenDacl(HANDLE hToken)
Function Documentation
◆ find_my_exec()
Definition at line 161 of file exec.c.
162{
163 char *path;
164
165 /*
166 * If argv0 contains a separator, then PATH wasn't used.
167 */
170 {
173
176 return -1;
177 }
178
179#ifdef WIN32
180 /* Win32 checks the current directory first for names without slashes */
183#endif
184
185 /*
186 * Since no explicit path was supplied, the user must have been relying on
187 * PATH. We'll search the same PATH.
188 */
190 {
193
194 do
195 {
197 startp = path;
198 else
200
204
206
209
211 {
212 case 0: /* found ok */
214 case -1: /* wasn't even a candidate, keep looking */
215 break;
216 case -2: /* found but disqualified */
219 retpath);
220 break;
221 }
223 }
224
227 return -1;
228}
References _, argv0, canonicalize_path(), errcode(), fb(), first_dir_separator(), first_path_var_separator(), join_path_components(), log_error, MAXPGPATH, Min, normalize_exec_path(), strlcpy(), and validate_exec().
Referenced by ensureCleanShutdown(), find_other_exec(), find_other_exec_or_die(), get_exec_path(), getInstallationPaths(), getRestoreCommand(), InitStandaloneProcess(), main(), main(), main(), process_psqlrc(), set_pglocale_pgservice(), setup(), and setup_bin_paths().
◆ find_other_exec()
| int find_other_exec | ( | const char * | argv0, |
| const char * | target, | ||
| const char * | versionstr, | ||
| char * | retpath | ||
| ) |
Definition at line 311 of file exec.c.
313{
315 char *line;
316
318 return -1;
319
320 /* Trim off program name and keep just directory */
323
324 /* Now append the other program's name */
327
329 return -1;
330
332
334 return -1;
335
337 {
338 pfree(line);
339 return -2;
340 }
341
342 pfree(line);
343 return 0;
344}
References argv0, canonicalize_path(), EXE, fb(), find_my_exec(), last_dir_separator(), MAXPGPATH, pfree(), pipe_read_line(), snprintf, and validate_exec().
Referenced by ensureCleanShutdown(), find_other_exec_or_die(), get_exec_path(), getInstallationPaths(), getRestoreCommand(), isolation_start_test(), main(), main(), and setup_bin_paths().
◆ normalize_exec_path()
Definition at line 242 of file exec.c.
243{
244 /*
245 * We used to do a lot of work ourselves here, but now we just let
246 * realpath(3) do all the heavy lifting.
247 */
249
251 {
254 path);
255 return -1;
256 }
259
260#ifdef WIN32
261 /* On Windows, be sure to convert '\' to '/' */
262 canonicalize_path(path);
263#endif
264
265 return 0;
266}
References _, canonicalize_path(), errcode_for_file_access(), fb(), free, log_error, MAXPGPATH, pg_realpath(), and strlcpy().
Referenced by find_my_exec().
◆ pclose_check()
Definition at line 392 of file exec.c.
393{
395 char *reason;
396
398
400 return 0; /* all is well */
401
403 {
404 /* pclose() itself failed, and hopefully set errno */
407 }
408 else
409 {
412 "%s", reason);
413 pfree(reason);
414 }
416}
References _, errcode(), fb(), log_error, pfree(), and wait_result_to_str().
Referenced by pipe_read_line().
◆ pg_realpath()
Definition at line 283 of file exec.c.
284{
285 char *path;
286
287#ifndef WIN32
289#else /* WIN32 */
290
291 /*
292 * Microsoft is resolutely non-POSIX, but _fullpath() does the same thing.
293 * The documentation claims it reports errors by setting errno, which is a
294 * bit surprising for Microsoft, but we'll believe that until it's proven
295 * wrong. Clear errno first, though, so we can at least tell if a failure
296 * occurs and doesn't set it.
297 */
298 errno = 0;
300#endif
301
302 return path;
303}
References fb().
Referenced by normalize_exec_path().
◆ pipe_read_line()
Definition at line 353 of file exec.c.
354{
356 char *line;
357
359
360 errno = 0;
362 {
366 }
367
368 /* Make sure popen() didn't change errno */
369 errno = 0;
371
373 {
377 else
380 }
381
383
384 return line;
385}
References _, errcode(), errcode_for_file_access(), fb(), log_error, pclose_check(), and pg_get_line().
Referenced by check_exec(), find_other_exec(), and getRestoreCommand().
◆ set_pglocale_pgservice()
Definition at line 430 of file exec.c.
431{
434
435 /* don't set LC_ALL in the backend */
437 {
439
440 /*
441 * One could make a case for reproducing here PostmasterMain()'s test
442 * for whether the process is multithreaded. Unlike the postmaster,
443 * no frontend program calls sigprocmask() or otherwise provides for
444 * mutual exclusion between signal handlers. While frontends using
445 * fork(), if multithreaded, are formally exposed to undefined
446 * behavior, we have not witnessed a concrete bug. Therefore,
447 * complaining about multithreading here may be mere pedantry.
448 */
449 }
450
452 return;
453
454#ifdef ENABLE_NLS
458 /* set for libpq to use, but don't override existing setting */
460#endif
461
463 {
465 /* set for libpq to use */
467 }
468}
References argv0, fb(), find_my_exec(), get_etc_path(), get_locale_path(), MAXPGPATH, my_exec_path, PG_TEXTDOMAIN, setenv, and setlocale.
Referenced by main(), main(), main(), and regression_main().
◆ validate_exec()
Definition at line 89 of file exec.c.
90{
94
95#ifdef WIN32
97
98 /* Win32 requires a .exe suffix for stat() */
101 {
104 path = path_exe;
105 }
106#endif
107
108 /*
109 * Ensure that the file exists and is a regular file.
110 *
111 * XXX if you have a broken system where stat() looks at the symlink
112 * instead of the underlying file, you lose.
113 */
115 return -1;
116
118 {
119 /*
120 * POSIX offers no errno code that's simply "not a regular file". If
121 * it's a directory we can use EISDIR. Otherwise, it's most likely a
122 * device special file, and EPERM (Operation not permitted) isn't too
123 * horribly off base.
124 */
126 return -1;
127 }
128
129 /*
130 * Ensure that the file is both executable and readable (required for
131 * dynamic loading).
132 */
133#ifndef WIN32
136 /* access() will set errno if it returns -1 */
137#else
141#endif
143}
References buf, fb(), MAXPGPATH, pg_strcasecmp(), S_IRUSR, S_ISDIR, S_ISREG, S_IXUSR, stat, and strlcpy().
Referenced by check_exec(), find_my_exec(), and find_other_exec().
