/*------------------------------------------------------------------------- * * exec.c * Functions for finding and validating executable files * * * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * * * IDENTIFICATION * src/common/exec.c * *------------------------------------------------------------------------- */ /* * On macOS, "man realpath" avers: * Defining _DARWIN_C_SOURCE or _DARWIN_BETTER_REALPATH before including * stdlib.h will cause the provided implementation of realpath() to use * F_GETPATH from fcntl(2) to discover the path. * This should be harmless everywhere else. */ #define _DARWIN_BETTER_REALPATH #ifndef FRONTEND #include "postgres.h" #else #include "postgres_fe.h" #endif #include #include #include #include #ifdef EXEC_BACKEND #if defined(HAVE_SYS_PERSONALITY_H) #include #elif defined(HAVE_SYS_PROCCTL_H) #include #endif #endif #include "common/string.h" /* Inhibit mingw CRT's auto-globbing of command line arguments */ #if defined(WIN32) && !defined(_MSC_VER) extern int _CRT_glob = 0; /* 0 turns off globbing; 1 turns it on */ #endif /* * Hacky solution to allow expressing both frontend and backend error reports * in one macro call. First argument of log_error is an errcode() call of * some sort (ignored if FRONTEND); the rest are errmsg_internal() arguments, * i.e. message string and any parameters for it. * * Caller must provide the gettext wrapper around the message string, if * appropriate, so that it gets translated in the FRONTEND case; this * motivates using errmsg_internal() not errmsg(). We handle appending a * newline, if needed, inside the macro, so that there's only one translatable * string per call not two. */ #ifndef FRONTEND #define log_error(errcodefn, ...) \ ereport(LOG, (errcodefn, errmsg_internal(__VA_ARGS__))) #else #define log_error(errcodefn, ...) \ (fprintf(stderr, __VA_ARGS__), fputc('\n', stderr)) #endif static int normalize_exec_path(char *path); static char *pg_realpath(const char *fname); #ifdef WIN32 static BOOL GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser); #endif /* * validate_exec -- validate "path" as an executable file * * returns 0 if the file is found and no error is encountered. * -1 if the regular file "path" does not exist or cannot be executed. * -2 if the file is otherwise valid but cannot be read. * in the failure cases, errno is set appropriately */ int validate_exec(const char *path) { struct stat buf; int is_r; int is_x; #ifdef WIN32 char path_exe[MAXPGPATH + sizeof(".exe") - 1]; /* Win32 requires a .exe suffix for stat() */ if (strlen(path) < strlen(".exe") || pg_strcasecmp(path + strlen(path) - strlen(".exe"), ".exe") != 0) { strlcpy(path_exe, path, sizeof(path_exe) - 4); strcat(path_exe, ".exe"); path = path_exe; } #endif /* * Ensure that the file exists and is a regular file. * * XXX if you have a broken system where stat() looks at the symlink * instead of the underlying file, you lose. */ if (stat(path, &buf) < 0) return -1; if (!S_ISREG(buf.st_mode)) { /* * POSIX offers no errno code that's simply "not a regular file". If * it's a directory we can use EISDIR. Otherwise, it's most likely a * device special file, and EPERM (Operation not permitted) isn't too * horribly off base. */ errno = S_ISDIR(buf.st_mode) ? EISDIR : EPERM; return -1; } /* * Ensure that the file is both executable and readable (required for * dynamic loading). */ #ifndef WIN32 is_r = (access(path, R_OK) == 0); is_x = (access(path, X_OK) == 0); /* access() will set errno if it returns -1 */ #else is_r = buf.st_mode & S_IRUSR; is_x = buf.st_mode & S_IXUSR; errno = EACCES; /* appropriate thing if we return nonzero */ #endif return is_x ? (is_r ? 0 : -2) : -1; } /* * find_my_exec -- find an absolute path to this program's executable * * argv0 is the name passed on the command line * retpath is the output area (must be of size MAXPGPATH) * Returns 0 if OK, -1 if error. * * The reason we have to work so hard to find an absolute path is that * on some platforms we can't do dynamic loading unless we know the * executable's location. Also, we need an absolute path not a relative * path because we may later change working directory. Finally, we want * a true path not a symlink location, so that we can locate other files * that are part of our installation relative to the executable. */ int find_my_exec(const char *argv0, char *retpath) { char *path; /* * If argv0 contains a separator, then PATH wasn't used. */ strlcpy(retpath, argv0, MAXPGPATH); if (first_dir_separator(retpath) != NULL) { if (validate_exec(retpath) == 0) return normalize_exec_path(retpath); log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE), _("invalid binary \"%s\": %m"), retpath); return -1; } #ifdef WIN32 /* Win32 checks the current directory first for names without slashes */ if (validate_exec(retpath) == 0) return normalize_exec_path(retpath); #endif /* * Since no explicit path was supplied, the user must have been relying on * PATH. We'll search the same PATH. */ if ((path = getenv("PATH")) && *path) { char *startp = NULL, *endp = NULL; do { if (!startp) startp = path; else startp = endp + 1; endp = first_path_var_separator(startp); if (!endp) endp = startp + strlen(startp); /* point to end */ strlcpy(retpath, startp, Min(endp - startp + 1, MAXPGPATH)); join_path_components(retpath, retpath, argv0); canonicalize_path(retpath); switch (validate_exec(retpath)) { case 0: /* found ok */ return normalize_exec_path(retpath); case -1: /* wasn't even a candidate, keep looking */ break; case -2: /* found but disqualified */ log_error(errcode(ERRCODE_WRONG_OBJECT_TYPE), _("could not read binary \"%s\": %m"), retpath); break; } } while (*endp); } log_error(errcode(ERRCODE_UNDEFINED_FILE), _("could not find a \"%s\" to execute"), argv0); return -1; } /* * normalize_exec_path - resolve symlinks and convert to absolute path * * Given a path that refers to an executable, chase through any symlinks * to find the real file location; then convert that to an absolute path. * * On success, replaces the contents of "path" with the absolute path. * ("path" is assumed to be of size MAXPGPATH.) * Returns 0 if OK, -1 if error. */ static int normalize_exec_path(char *path) { /* * We used to do a lot of work ourselves here, but now we just let * realpath(3) do all the heavy lifting. */ char *abspath = pg_realpath(path); if (abspath == NULL) { log_error(errcode_for_file_access(), _("could not resolve path \"%s\" to absolute form: %m"), path); return -1; } strlcpy(path, abspath, MAXPGPATH); free(abspath); #ifdef WIN32 /* On Windows, be sure to convert '\' to '/' */ canonicalize_path(path); #endif return 0; } /* * pg_realpath() - realpath(3) with POSIX.1-2008 semantics * * This is equivalent to realpath(fname, NULL), in that it returns a * malloc'd buffer containing the absolute path equivalent to fname. * On error, returns NULL with errno set. * * On Windows, what you get is spelled per platform conventions, * so you probably want to apply canonicalize_path() to the result. * * For now, this is needed only here so mark it static. If you choose to * move it into its own file, move the _DARWIN_BETTER_REALPATH #define too! */ static char * pg_realpath(const char *fname) { char *path; #ifndef WIN32 path = realpath(fname, NULL); #else /* WIN32 */ /* * Microsoft is resolutely non-POSIX, but _fullpath() does the same thing. * The documentation claims it reports errors by setting errno, which is a * bit surprising for Microsoft, but we'll believe that until it's proven * wrong. Clear errno first, though, so we can at least tell if a failure * occurs and doesn't set it. */ errno = 0; path = _fullpath(NULL, fname, 0); #endif return path; } /* * Find another program in our binary's directory, * then make sure it is the proper version. */ int find_other_exec(const char *argv0, const char *target, const char *versionstr, char *retpath) { char cmd[MAXPGPATH]; char *line; if (find_my_exec(argv0, retpath) < 0) return -1; /* Trim off program name and keep just directory */ *last_dir_separator(retpath) = '\0'; canonicalize_path(retpath); /* Now append the other program's name */ snprintf(retpath + strlen(retpath), MAXPGPATH - strlen(retpath), "/%s%s", target, EXE); if (validate_exec(retpath) != 0) return -1; snprintf(cmd, sizeof(cmd), "\"%s\" -V", retpath); if ((line = pipe_read_line(cmd)) == NULL) return -1; if (strcmp(line, versionstr) != 0) { pfree(line); return -2; } pfree(line); return 0; } /* * Execute a command in a pipe and read the first line from it. The returned * string is palloc'd (malloc'd in frontend code), the caller is responsible * for freeing. */ char * pipe_read_line(char *cmd) { FILE *pipe_cmd; char *line; fflush(NULL); errno = 0; if ((pipe_cmd = popen(cmd, "r")) == NULL) { log_error(errcode(ERRCODE_SYSTEM_ERROR), _("could not execute command \"%s\": %m"), cmd); return NULL; } /* Make sure popen() didn't change errno */ errno = 0; line = pg_get_line(pipe_cmd, NULL); if (line == NULL) { if (ferror(pipe_cmd)) log_error(errcode_for_file_access(), _("could not read from command \"%s\": %m"), cmd); else log_error(errcode(ERRCODE_NO_DATA), _("no data was returned by command \"%s\""), cmd); } (void) pclose_check(pipe_cmd); return line; } /* * pclose() plus useful error reporting */ int pclose_check(FILE *stream) { int exitstatus; char *reason; exitstatus = pclose(stream); if (exitstatus == 0) return 0; /* all is well */ if (exitstatus == -1) { /* pclose() itself failed, and hopefully set errno */ log_error(errcode(ERRCODE_SYSTEM_ERROR), _("%s() failed: %m"), "pclose"); } else { reason = wait_result_to_str(exitstatus); log_error(errcode(ERRCODE_SYSTEM_ERROR), "%s", reason); pfree(reason); } return exitstatus; } /* * set_pglocale_pgservice * * Set application-specific locale and service directory * * This function takes the value of argv[0] rather than a full path. * * (You may be wondering why this is in exec.c. It requires this module's * services and doesn't introduce any new dependencies, so this seems as * good as anyplace.) */ void set_pglocale_pgservice(const char *argv0, const char *app) { char path[MAXPGPATH]; char my_exec_path[MAXPGPATH]; /* don't set LC_ALL in the backend */ if (strcmp(app, PG_TEXTDOMAIN("postgres")) != 0) { setlocale(LC_ALL, ""); /* * One could make a case for reproducing here PostmasterMain()'s test * for whether the process is multithreaded. Unlike the postmaster, * no frontend program calls sigprocmask() or otherwise provides for * mutual exclusion between signal handlers. While frontends using * fork(), if multithreaded, are formally exposed to undefined * behavior, we have not witnessed a concrete bug. Therefore, * complaining about multithreading here may be mere pedantry. */ } if (find_my_exec(argv0, my_exec_path) < 0) return; #ifdef ENABLE_NLS get_locale_path(my_exec_path, path); bindtextdomain(app, path); textdomain(app); /* set for libpq to use, but don't override existing setting */ setenv("PGLOCALEDIR", path, 0); #endif if (getenv("PGSYSCONFDIR") == NULL) { get_etc_path(my_exec_path, path); /* set for libpq to use */ setenv("PGSYSCONFDIR", path, 0); } } #ifdef EXEC_BACKEND /* * For the benefit of PostgreSQL developers testing EXEC_BACKEND on Unix * systems (code paths normally exercised only on Windows), provide a way to * disable address space layout randomization, if we know how on this platform. * Otherwise, backends may fail to attach to shared memory at the fixed address * chosen by the postmaster. (See also the macOS-specific hack in * sysv_shmem.c.) */ int pg_disable_aslr(void) { #if defined(HAVE_SYS_PERSONALITY_H) return personality(ADDR_NO_RANDOMIZE); #elif defined(HAVE_SYS_PROCCTL_H) && defined(PROC_ASLR_FORCE_DISABLE) int data = PROC_ASLR_FORCE_DISABLE; return procctl(P_PID, 0, PROC_ASLR_CTL, &data); #else errno = ENOSYS; return -1; #endif } #endif #ifdef WIN32 /* * AddUserToTokenDacl(HANDLE hToken) * * This function adds the current user account to the restricted * token used when we create a restricted process. * * This is required because of some security changes in Windows * that appeared in patches to XP/2K3 and in Vista/2008. * * On these machines, the Administrator account is not included in * the default DACL - you just get Administrators + System. For * regular users you get User + System. Because we strip Administrators * when we create the restricted token, we are left with only System * in the DACL which leads to access denied errors for later CreatePipe() * and CreateProcess() calls when running as Administrator. * * This function fixes this problem by modifying the DACL of the * token the process will use, and explicitly re-adding the current * user account. This is still secure because the Administrator account * inherits its privileges from the Administrators group - it doesn't * have any of its own. */ BOOL AddUserToTokenDacl(HANDLE hToken) { int i; ACL_SIZE_INFORMATION asi; ACCESS_ALLOWED_ACE *pace; DWORD dwNewAclSize; DWORD dwSize = 0; DWORD dwTokenInfoLength = 0; PACL pacl = NULL; PTOKEN_USER pTokenUser = NULL; TOKEN_DEFAULT_DACL tddNew; TOKEN_DEFAULT_DACL *ptdd = NULL; TOKEN_INFORMATION_CLASS tic = TokenDefaultDacl; BOOL ret = FALSE; /* Figure out the buffer size for the DACL info */ if (!GetTokenInformation(hToken, tic, (LPVOID) NULL, dwTokenInfoLength, &dwSize)) { if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) { ptdd = (TOKEN_DEFAULT_DACL *) LocalAlloc(LPTR, dwSize); if (ptdd == NULL) { log_error(errcode(ERRCODE_OUT_OF_MEMORY), _("out of memory")); goto cleanup; } if (!GetTokenInformation(hToken, tic, (LPVOID) ptdd, dwSize, &dwSize)) { log_error(errcode(ERRCODE_SYSTEM_ERROR), "could not get token information: error code %lu", GetLastError()); goto cleanup; } } else { log_error(errcode(ERRCODE_SYSTEM_ERROR), "could not get token information buffer size: error code %lu", GetLastError()); goto cleanup; } } /* Get the ACL info */ if (!GetAclInformation(ptdd->DefaultDacl, (LPVOID) &asi, (DWORD) sizeof(ACL_SIZE_INFORMATION), AclSizeInformation)) { log_error(errcode(ERRCODE_SYSTEM_ERROR), "could not get ACL information: error code %lu", GetLastError()); goto cleanup; } /* Get the current user SID */ if (!GetTokenUser(hToken, &pTokenUser)) goto cleanup; /* callee printed a message */ /* Figure out the size of the new ACL */ dwNewAclSize = asi.AclBytesInUse + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pTokenUser->User.Sid) - sizeof(DWORD); /* Allocate the ACL buffer & initialize it */ pacl = (PACL) LocalAlloc(LPTR, dwNewAclSize); if (pacl == NULL) { log_error(errcode(ERRCODE_OUT_OF_MEMORY), _("out of memory")); goto cleanup; } if (!InitializeAcl(pacl, dwNewAclSize, ACL_REVISION)) { log_error(errcode(ERRCODE_SYSTEM_ERROR), "could not initialize ACL: error code %lu", GetLastError()); goto cleanup; } /* Loop through the existing ACEs, and build the new ACL */ for (i = 0; i < (int) asi.AceCount; i++) { if (!GetAce(ptdd->DefaultDacl, i, (LPVOID *) &pace)) { log_error(errcode(ERRCODE_SYSTEM_ERROR), "could not get ACE: error code %lu", GetLastError()); goto cleanup; } if (!AddAce(pacl, ACL_REVISION, MAXDWORD, pace, ((PACE_HEADER) pace)->AceSize)) { log_error(errcode(ERRCODE_SYSTEM_ERROR), "could not add ACE: error code %lu", GetLastError()); goto cleanup; } } /* Add the new ACE for the current user */ if (!AddAccessAllowedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE, GENERIC_ALL, pTokenUser->User.Sid)) { log_error(errcode(ERRCODE_SYSTEM_ERROR), "could not add access allowed ACE: error code %lu", GetLastError()); goto cleanup; } /* Set the new DACL in the token */ tddNew.DefaultDacl = pacl; if (!SetTokenInformation(hToken, tic, (LPVOID) &tddNew, dwNewAclSize)) { log_error(errcode(ERRCODE_SYSTEM_ERROR), "could not set token information: error code %lu", GetLastError()); goto cleanup; } ret = TRUE; cleanup: if (pTokenUser) LocalFree((HLOCAL) pTokenUser); if (pacl) LocalFree((HLOCAL) pacl); if (ptdd) LocalFree((HLOCAL) ptdd); return ret; } /* * GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser) * * Get the users token information from a process token. * * The caller of this function is responsible for calling LocalFree() on the * returned TOKEN_USER memory. */ static BOOL GetTokenUser(HANDLE hToken, PTOKEN_USER *ppTokenUser) { DWORD dwLength; *ppTokenUser = NULL; if (!GetTokenInformation(hToken, TokenUser, NULL, 0, &dwLength)) { if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) { *ppTokenUser = (PTOKEN_USER) LocalAlloc(LPTR, dwLength); if (*ppTokenUser == NULL) { log_error(errcode(ERRCODE_OUT_OF_MEMORY), _("out of memory")); return FALSE; } } else { log_error(errcode(ERRCODE_SYSTEM_ERROR), "could not get token information buffer size: error code %lu", GetLastError()); return FALSE; } } if (!GetTokenInformation(hToken, TokenUser, *ppTokenUser, dwLength, &dwLength)) { LocalFree(*ppTokenUser); *ppTokenUser = NULL; log_error(errcode(ERRCODE_SYSTEM_ERROR), "could not get token information: error code %lu", GetLastError()); return FALSE; } /* Memory in *ppTokenUser is LocalFree():d by the caller */ return TRUE; } #endif