diff --git a/src/common/restricted_token.c b/src/common/restricted_token.c index 74ba7192a1..e58b4d243f 100644 --- a/src/common/restricted_token.c +++ b/src/common/restricted_token.c @@ -52,23 +52,21 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION *processInfo) HANDLE restrictedToken; SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY}; SID_AND_ATTRIBUTES dropSids[2]; - __CreateRestrictedToken _CreateRestrictedToken = NULL; + __CreateRestrictedToken _CreateRestrictedToken; HANDLE Advapi32Handle; - ZeroMemory(&si, sizeof(si)); - si.cb = sizeof(si); - Advapi32Handle = LoadLibrary("ADVAPI32.DLL"); - if (Advapi32Handle != NULL) + if (Advapi32Handle == NULL) { - _CreateRestrictedToken = (__CreateRestrictedToken) GetProcAddress(Advapi32Handle, "CreateRestrictedToken"); + pg_log_warning("cannot load ADVAPI32.DLL"); + return 0; } + _CreateRestrictedToken = (__CreateRestrictedToken) GetProcAddress(Advapi32Handle, "CreateRestrictedToken"); if (_CreateRestrictedToken == NULL) { pg_log_warning("cannot create restricted tokens on this platform"); - if (Advapi32Handle != NULL) - FreeLibrary(Advapi32Handle); + FreeLibrary(Advapi32Handle); return 0; } @@ -76,6 +74,7 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION *processInfo) if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &origToken)) { pg_log_error("could not open process token: error code %lu", GetLastError()); + FreeLibrary(Advapi32Handle); return 0; } @@ -89,6 +88,8 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION *processInfo) 0, &dropSids[1].Sid)) { pg_log_error("could not allocate SIDs: error code %lu", GetLastError()); + CloseHandle(origToken); + FreeLibrary(Advapi32Handle); return 0; } @@ -115,6 +116,9 @@ CreateRestrictedProcess(char *cmd, PROCESS_INFORMATION *processInfo) AddUserToTokenDacl(restrictedToken); #endif + ZeroMemory(&si, sizeof(si)); + si.cb = sizeof(si); + if (!CreateProcessAsUser(restrictedToken, NULL, cmd, @@ -187,6 +191,7 @@ get_restricted_token(void) } exit(x); } + pg_free(cmdline); } #endif }