diff options
| author | Vladislav Vaintroub <wlad@mariadb.com> | 2019-05-02 19:44:36 +0100 |
|---|---|---|
| committer | Vladislav Vaintroub <wlad@mariadb.com> | 2019-05-02 19:44:36 +0100 |
| commit | 13d7c721a54ea777898cd0db9dce8ebc516a8af8 (patch) | |
| tree | a080cfc1a86fb88b942197cc174efd71d5ebf9e7 | |
| parent | 4b0f010b884cb298a33ed438c2b3688c472dbbf7 (diff) | |
| download | mariadb-git-13d7c721a54ea777898cd0db9dce8ebc516a8af8.tar.gz | |
MDEV-17008 prepare with datadir, on Windows, does not set ACL
on tablespace files
Fix is to always add Full Control for NetworkService account, for every
file that copyback/moveback copies around.
| -rw-r--r-- | extra/mariabackup/backup_copy.cc | 68 |
1 files changed, 67 insertions, 1 deletions
diff --git a/extra/mariabackup/backup_copy.cc b/extra/mariabackup/backup_copy.cc index fa665a798ac..ee7f55e304c 100644 --- a/extra/mariabackup/backup_copy.cc +++ b/extra/mariabackup/backup_copy.cc @@ -989,6 +989,65 @@ run_data_threads(datadir_iter_t *it, os_thread_func_t func, uint n) return(ret); } +#ifdef _WIN32 +#include <windows.h> +#include <accctrl.h> +#include <aclapi.h> +/* + On Windows, fix permission of the file after "copyback" + We assume that after copyback, mysqld will run as service as NetworkService + user, thus well give full permission on given file to that user. +*/ + +static int fix_win_file_permissions(const char *file) +{ + struct { + TOKEN_USER tokenUser; + BYTE buffer[SECURITY_MAX_SID_SIZE]; + } tokenInfoBuffer; + HANDLE hFile = CreateFile(file, READ_CONTROL | WRITE_DAC, 0, NULL, OPEN_EXISTING, + FILE_FLAG_BACKUP_SEMANTICS, NULL); + if (hFile == INVALID_HANDLE_VALUE) + return -1; + ACL* pOldDACL; + SECURITY_DESCRIPTOR* pSD = NULL; + EXPLICIT_ACCESS ea = { 0 }; + BOOL isWellKnownSID = FALSE; + PSID pSid = NULL; + + GetSecurityInfo(hFile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, + &pOldDACL, NULL, (void**)&pSD); + DWORD size = SECURITY_MAX_SID_SIZE; + pSid = (PSID)tokenInfoBuffer.buffer; + if (!CreateWellKnownSid(WinNetworkServiceSid, NULL, pSid, + &size)) + { + return 1; + } + ea.Trustee.TrusteeForm = TRUSTEE_IS_SID; + ea.Trustee.ptstrName = (LPTSTR)pSid; + + ea.grfAccessMode = GRANT_ACCESS; + ea.grfAccessPermissions = GENERIC_ALL; + ea.grfInheritance = CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE; + ea.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN; + ACL* pNewDACL = 0; + DWORD err = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL); + if (pNewDACL) + { + SetSecurityInfo(hFile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, + pNewDACL, NULL); + } + if (pSD != NULL) + LocalFree((HLOCAL)pSD); + if (pNewDACL != NULL) + LocalFree((HLOCAL)pNewDACL); + CloseHandle(hFile); + return 0; +} + +#endif + /************************************************************************ Copy file for backup/restore. @@ -1037,6 +1096,10 @@ copy_file(ds_ctxt_t *datasink, /* close */ msg(thread_n," ...done"); datafile_close(&cursor); +#ifdef _WIN32 + if (xtrabackup_copy_back || xtrabackup_move_back) + ut_a(!fix_win_file_permissions(dstfile->path)); +#endif if (ds_close(dstfile)) { goto error_close; } @@ -1107,7 +1170,10 @@ move_file(ds_ctxt_t *datasink, errbuf); return(false); } - +#ifdef _WIN32 + if (xtrabackup_copy_back || xtrabackup_move_back) + ut_a(!fix_win_file_permissions(dst_file_path_abs)); +#endif msg(thread_n," ...done"); return(true); |