1 /*-------------------------------------------------------------------------
4 * Functions for finding and validating executable files
7 * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
8 * Portions Copyright (c) 1994, Regents of the University of California
14 *-------------------------------------------------------------------------
18 * On macOS, "man realpath" avers:
19 * Defining _DARWIN_C_SOURCE or _DARWIN_BETTER_REALPATH before including
20 * stdlib.h will cause the provided implementation of realpath() to use
21 * F_GETPATH from fcntl(2) to discover the path.
22 * This should be harmless everywhere else.
24 #define _DARWIN_BETTER_REALPATH
29 #include "postgres_fe.h"
38 #if defined(HAVE_SYS_PERSONALITY_H)
39 #include <sys/personality.h>
40 #elif defined(HAVE_SYS_PROCCTL_H)
41 #include <sys/procctl.h>
45 #include "common/string.h"
47 /* Inhibit mingw CRT's auto-globbing of command line arguments */
48 #if defined(WIN32) && !defined(_MSC_VER)
49 extern int _CRT_glob
= 0; /* 0 turns off globbing; 1 turns it on */
53 * Hacky solution to allow expressing both frontend and backend error reports
54 * in one macro call. First argument of log_error is an errcode() call of
55 * some sort (ignored if FRONTEND); the rest are errmsg_internal() arguments,
56 * i.e. message string and any parameters for it.
58 * Caller must provide the gettext wrapper around the message string, if
59 * appropriate, so that it gets translated in the FRONTEND case; this
60 * motivates using errmsg_internal() not errmsg(). We handle appending a
61 * newline, if needed, inside the macro, so that there's only one translatable
62 * string per call not two.
65 #define log_error(errcodefn, ...) \
66 ereport(LOG, (errcodefn, errmsg_internal(__VA_ARGS__)))
68 #define log_error(errcodefn, ...) \
69 (fprintf(stderr, __VA_ARGS__), fputc('\n', stderr))
72 static int normalize_exec_path(char *path
);
73 static char *pg_realpath(const char *fname
);
76 static BOOL
GetTokenUser(HANDLE hToken
, PTOKEN_USER
*ppTokenUser
);
80 * validate_exec -- validate "path" as an executable file
82 * returns 0 if the file is found and no error is encountered.
83 * -1 if the regular file "path" does not exist or cannot be executed.
84 * -2 if the file is otherwise valid but cannot be read.
85 * in the failure cases, errno is set appropriately
88 validate_exec(const char *path
)
95 char path_exe
[MAXPGPATH
+ sizeof(".exe") - 1];
97 /* Win32 requires a .exe suffix for stat() */
98 if (strlen(path
) < strlen(".exe") ||
99 pg_strcasecmp(path
+ strlen(path
) - strlen(".exe"), ".exe") != 0)
101 strlcpy(path_exe
, path
, sizeof(path_exe
) - 4);
102 strcat(path_exe
, ".exe");
108 * Ensure that the file exists and is a regular file.
110 * XXX if you have a broken system where stat() looks at the symlink
111 * instead of the underlying file, you lose.
113 if (stat(path
, &buf
) < 0)
116 if (!S_ISREG(buf
.st_mode
))
119 * POSIX offers no errno code that's simply "not a regular file". If
120 * it's a directory we can use EISDIR. Otherwise, it's most likely a
121 * device special file, and EPERM (Operation not permitted) isn't too
124 errno
= S_ISDIR(buf
.st_mode
) ? EISDIR
: EPERM
;
129 * Ensure that the file is both executable and readable (required for
133 is_r
= (access(path
, R_OK
) == 0);
134 is_x
= (access(path
, X_OK
) == 0);
135 /* access() will set errno if it returns -1 */
137 is_r
= buf
.st_mode
& S_IRUSR
;
138 is_x
= buf
.st_mode
& S_IXUSR
;
139 errno
= EACCES
; /* appropriate thing if we return nonzero */
141 return is_x
? (is_r
? 0 : -2) : -1;
146 * find_my_exec -- find an absolute path to this program's executable
148 * argv0 is the name passed on the command line
149 * retpath is the output area (must be of size MAXPGPATH)
150 * Returns 0 if OK, -1 if error.
152 * The reason we have to work so hard to find an absolute path is that
153 * on some platforms we can't do dynamic loading unless we know the
154 * executable's location. Also, we need an absolute path not a relative
155 * path because we may later change working directory. Finally, we want
156 * a true path not a symlink location, so that we can locate other files
157 * that are part of our installation relative to the executable.
160 find_my_exec(const char *argv0
, char *retpath
)
165 * If argv0 contains a separator, then PATH wasn't used.
167 strlcpy(retpath
, argv0
, MAXPGPATH
);
168 if (first_dir_separator(retpath
) != NULL
)
170 if (validate_exec(retpath
) == 0)
171 return normalize_exec_path(retpath
);
173 log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE
),
174 _("invalid binary \"%s\": %m"), retpath
);
179 /* Win32 checks the current directory first for names without slashes */
180 if (validate_exec(retpath
) == 0)
181 return normalize_exec_path(retpath
);
185 * Since no explicit path was supplied, the user must have been relying on
186 * PATH. We'll search the same PATH.
188 if ((path
= getenv("PATH")) && *path
)
200 endp
= first_path_var_separator(startp
);
202 endp
= startp
+ strlen(startp
); /* point to end */
204 strlcpy(retpath
, startp
, Min(endp
- startp
+ 1, MAXPGPATH
));
206 join_path_components(retpath
, retpath
, argv0
);
207 canonicalize_path(retpath
);
209 switch (validate_exec(retpath
))
211 case 0: /* found ok */
212 return normalize_exec_path(retpath
);
213 case -1: /* wasn't even a candidate, keep looking */
215 case -2: /* found but disqualified */
216 log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE
),
217 _("could not read binary \"%s\": %m"),
224 log_error(errcode(ERRCODE_UNDEFINED_FILE
),
225 _("could not find a \"%s\" to execute"), argv0
);
231 * normalize_exec_path - resolve symlinks and convert to absolute path
233 * Given a path that refers to an executable, chase through any symlinks
234 * to find the real file location; then convert that to an absolute path.
236 * On success, replaces the contents of "path" with the absolute path.
237 * ("path" is assumed to be of size MAXPGPATH.)
238 * Returns 0 if OK, -1 if error.
241 normalize_exec_path(char *path
)
244 * We used to do a lot of work ourselves here, but now we just let
245 * realpath(3) do all the heavy lifting.
247 char *abspath
= pg_realpath(path
);
251 log_error(errcode_for_file_access(),
252 _("could not resolve path \"%s\" to absolute form: %m"),
256 strlcpy(path
, abspath
, MAXPGPATH
);
260 /* On Windows, be sure to convert '\' to '/' */
261 canonicalize_path(path
);
269 * pg_realpath() - realpath(3) with POSIX.1-2008 semantics
271 * This is equivalent to realpath(fname, NULL), in that it returns a
272 * malloc'd buffer containing the absolute path equivalent to fname.
273 * On error, returns NULL with errno set.
275 * On Windows, what you get is spelled per platform conventions,
276 * so you probably want to apply canonicalize_path() to the result.
278 * For now, this is needed only here so mark it static. If you choose to
279 * move it into its own file, move the _DARWIN_BETTER_REALPATH #define too!
282 pg_realpath(const char *fname
)
287 path
= realpath(fname
, NULL
);
291 * Microsoft is resolutely non-POSIX, but _fullpath() does the same thing.
292 * The documentation claims it reports errors by setting errno, which is a
293 * bit surprising for Microsoft, but we'll believe that until it's proven
294 * wrong. Clear errno first, though, so we can at least tell if a failure
295 * occurs and doesn't set it.
298 path
= _fullpath(NULL
, fname
, 0);
306 * Find another program in our binary's directory,
307 * then make sure it is the proper version.
310 find_other_exec(const char *argv0
, const char *target
,
311 const char *versionstr
, char *retpath
)
316 if (find_my_exec(argv0
, retpath
) < 0)
319 /* Trim off program name and keep just directory */
320 *last_dir_separator(retpath
) = '\0';
321 canonicalize_path(retpath
);
323 /* Now append the other program's name */
324 snprintf(retpath
+ strlen(retpath
), MAXPGPATH
- strlen(retpath
),
325 "/%s%s", target
, EXE
);
327 if (validate_exec(retpath
) != 0)
330 snprintf(cmd
, sizeof(cmd
), "\"%s\" -V", retpath
);
332 if ((line
= pipe_read_line(cmd
)) == NULL
)
335 if (strcmp(line
, versionstr
) != 0)
347 * Execute a command in a pipe and read the first line from it. The returned
348 * string is palloc'd (malloc'd in frontend code), the caller is responsible
352 pipe_read_line(char *cmd
)
360 if ((pipe_cmd
= popen(cmd
, "r")) == NULL
)
362 log_error(errcode(ERRCODE_SYSTEM_ERROR
),
363 _("could not execute command \"%s\": %m"), cmd
);
367 /* Make sure popen() didn't change errno */
369 line
= pg_get_line(pipe_cmd
, NULL
);
373 if (ferror(pipe_cmd
))
374 log_error(errcode_for_file_access(),
375 _("could not read from command \"%s\": %m"), cmd
);
377 log_error(errcode(ERRCODE_NO_DATA
),
378 _("no data was returned by command \"%s\""), cmd
);
381 (void) pclose_check(pipe_cmd
);
388 * pclose() plus useful error reporting
391 pclose_check(FILE *stream
)
396 exitstatus
= pclose(stream
);
399 return 0; /* all is well */
401 if (exitstatus
== -1)
403 /* pclose() itself failed, and hopefully set errno */
404 log_error(errcode(ERRCODE_SYSTEM_ERROR
),
405 _("%s() failed: %m"), "pclose");
409 reason
= wait_result_to_str(exitstatus
);
410 log_error(errcode(ERRCODE_SYSTEM_ERROR
),
418 * set_pglocale_pgservice
420 * Set application-specific locale and service directory
422 * This function takes the value of argv[0] rather than a full path.
424 * (You may be wondering why this is in exec.c. It requires this module's
425 * services and doesn't introduce any new dependencies, so this seems as
429 set_pglocale_pgservice(const char *argv0
, const char *app
)
431 char path
[MAXPGPATH
];
432 char my_exec_path
[MAXPGPATH
];
434 /* don't set LC_ALL in the backend */
435 if (strcmp(app
, PG_TEXTDOMAIN("postgres")) != 0)
437 setlocale(LC_ALL
, "");
440 * One could make a case for reproducing here PostmasterMain()'s test
441 * for whether the process is multithreaded. Unlike the postmaster,
442 * no frontend program calls sigprocmask() or otherwise provides for
443 * mutual exclusion between signal handlers. While frontends using
444 * fork(), if multithreaded, are formally exposed to undefined
445 * behavior, we have not witnessed a concrete bug. Therefore,
446 * complaining about multithreading here may be mere pedantry.
450 if (find_my_exec(argv0
, my_exec_path
) < 0)
454 get_locale_path(my_exec_path
, path
);
455 bindtextdomain(app
, path
);
457 /* set for libpq to use, but don't override existing setting */
458 setenv("PGLOCALEDIR", path
, 0);
461 if (getenv("PGSYSCONFDIR") == NULL
)
463 get_etc_path(my_exec_path
, path
);
464 /* set for libpq to use */
465 setenv("PGSYSCONFDIR", path
, 0);
471 * For the benefit of PostgreSQL developers testing EXEC_BACKEND on Unix
472 * systems (code paths normally exercised only on Windows), provide a way to
473 * disable address space layout randomization, if we know how on this platform.
474 * Otherwise, backends may fail to attach to shared memory at the fixed address
475 * chosen by the postmaster. (See also the macOS-specific hack in
479 pg_disable_aslr(void)
481 #if defined(HAVE_SYS_PERSONALITY_H)
482 return personality(ADDR_NO_RANDOMIZE
);
483 #elif defined(HAVE_SYS_PROCCTL_H) && defined(PROC_ASLR_FORCE_DISABLE)
484 int data
= PROC_ASLR_FORCE_DISABLE
;
486 return procctl(P_PID
, 0, PROC_ASLR_CTL
, &data
);
497 * AddUserToTokenDacl(HANDLE hToken)
499 * This function adds the current user account to the restricted
500 * token used when we create a restricted process.
502 * This is required because of some security changes in Windows
503 * that appeared in patches to XP/2K3 and in Vista/2008.
505 * On these machines, the Administrator account is not included in
506 * the default DACL - you just get Administrators + System. For
507 * regular users you get User + System. Because we strip Administrators
508 * when we create the restricted token, we are left with only System
509 * in the DACL which leads to access denied errors for later CreatePipe()
510 * and CreateProcess() calls when running as Administrator.
512 * This function fixes this problem by modifying the DACL of the
513 * token the process will use, and explicitly re-adding the current
514 * user account. This is still secure because the Administrator account
515 * inherits its privileges from the Administrators group - it doesn't
516 * have any of its own.
519 AddUserToTokenDacl(HANDLE hToken
)
522 ACL_SIZE_INFORMATION asi
;
523 ACCESS_ALLOWED_ACE
*pace
;
526 DWORD dwTokenInfoLength
= 0;
528 PTOKEN_USER pTokenUser
= NULL
;
529 TOKEN_DEFAULT_DACL tddNew
;
530 TOKEN_DEFAULT_DACL
*ptdd
= NULL
;
531 TOKEN_INFORMATION_CLASS tic
= TokenDefaultDacl
;
534 /* Figure out the buffer size for the DACL info */
535 if (!GetTokenInformation(hToken
, tic
, (LPVOID
) NULL
, dwTokenInfoLength
, &dwSize
))
537 if (GetLastError() == ERROR_INSUFFICIENT_BUFFER
)
539 ptdd
= (TOKEN_DEFAULT_DACL
*) LocalAlloc(LPTR
, dwSize
);
542 log_error(errcode(ERRCODE_OUT_OF_MEMORY
),
547 if (!GetTokenInformation(hToken
, tic
, (LPVOID
) ptdd
, dwSize
, &dwSize
))
549 log_error(errcode(ERRCODE_SYSTEM_ERROR
),
550 "could not get token information: error code %lu",
557 log_error(errcode(ERRCODE_SYSTEM_ERROR
),
558 "could not get token information buffer size: error code %lu",
564 /* Get the ACL info */
565 if (!GetAclInformation(ptdd
->DefaultDacl
, (LPVOID
) &asi
,
566 (DWORD
) sizeof(ACL_SIZE_INFORMATION
),
569 log_error(errcode(ERRCODE_SYSTEM_ERROR
),
570 "could not get ACL information: error code %lu",
575 /* Get the current user SID */
576 if (!GetTokenUser(hToken
, &pTokenUser
))
577 goto cleanup
; /* callee printed a message */
579 /* Figure out the size of the new ACL */
580 dwNewAclSize
= asi
.AclBytesInUse
+ sizeof(ACCESS_ALLOWED_ACE
) +
581 GetLengthSid(pTokenUser
->User
.Sid
) - sizeof(DWORD
);
583 /* Allocate the ACL buffer & initialize it */
584 pacl
= (PACL
) LocalAlloc(LPTR
, dwNewAclSize
);
587 log_error(errcode(ERRCODE_OUT_OF_MEMORY
),
592 if (!InitializeAcl(pacl
, dwNewAclSize
, ACL_REVISION
))
594 log_error(errcode(ERRCODE_SYSTEM_ERROR
),
595 "could not initialize ACL: error code %lu", GetLastError());
599 /* Loop through the existing ACEs, and build the new ACL */
600 for (i
= 0; i
< (int) asi
.AceCount
; i
++)
602 if (!GetAce(ptdd
->DefaultDacl
, i
, (LPVOID
*) &pace
))
604 log_error(errcode(ERRCODE_SYSTEM_ERROR
),
605 "could not get ACE: error code %lu", GetLastError());
609 if (!AddAce(pacl
, ACL_REVISION
, MAXDWORD
, pace
, ((PACE_HEADER
) pace
)->AceSize
))
611 log_error(errcode(ERRCODE_SYSTEM_ERROR
),
612 "could not add ACE: error code %lu", GetLastError());
617 /* Add the new ACE for the current user */
618 if (!AddAccessAllowedAceEx(pacl
, ACL_REVISION
, OBJECT_INHERIT_ACE
, GENERIC_ALL
, pTokenUser
->User
.Sid
))
620 log_error(errcode(ERRCODE_SYSTEM_ERROR
),
621 "could not add access allowed ACE: error code %lu",
626 /* Set the new DACL in the token */
627 tddNew
.DefaultDacl
= pacl
;
629 if (!SetTokenInformation(hToken
, tic
, (LPVOID
) &tddNew
, dwNewAclSize
))
631 log_error(errcode(ERRCODE_SYSTEM_ERROR
),
632 "could not set token information: error code %lu",
641 LocalFree((HLOCAL
) pTokenUser
);
644 LocalFree((HLOCAL
) pacl
);
647 LocalFree((HLOCAL
) ptdd
);
653 * GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser)
655 * Get the users token information from a process token.
657 * The caller of this function is responsible for calling LocalFree() on the
658 * returned TOKEN_USER memory.
661 GetTokenUser(HANDLE hToken
, PTOKEN_USER
*ppTokenUser
)
667 if (!GetTokenInformation(hToken
,
673 if (GetLastError() == ERROR_INSUFFICIENT_BUFFER
)
675 *ppTokenUser
= (PTOKEN_USER
) LocalAlloc(LPTR
, dwLength
);
677 if (*ppTokenUser
== NULL
)
679 log_error(errcode(ERRCODE_OUT_OF_MEMORY
),
686 log_error(errcode(ERRCODE_SYSTEM_ERROR
),
687 "could not get token information buffer size: error code %lu",
693 if (!GetTokenInformation(hToken
,
699 LocalFree(*ppTokenUser
);
702 log_error(errcode(ERRCODE_SYSTEM_ERROR
),
703 "could not get token information: error code %lu",
708 /* Memory in *ppTokenUser is LocalFree():d by the caller */