Copy the parent environment when launching worker

osquery · Apr 8, 2020 · 0e5b048 · 0e5b048
1 parent 2993321
commit 0e5b048
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 20 deletions.
diff --git a/osquery/core/init.cpp b/osquery/core/init.cpp
@@ -136,6 +136,7 @@ const std::string kBackupDefaultFlagfile{OSQUERY_HOME "osquery.flags.default"};
 
 const size_t kDatabaseMaxRetryCount{25};
 const size_t kDatabaseRetryDelay{200};
+bool Initializer::isWorker_{false};
 
 namespace {
 
@@ -210,6 +211,8 @@ Initializer::Initializer(int& argc,
   // The config holds the initialization time for easy access.
   Config::setStartTime(getUnixTime());
 
+  isWorker_ = hasWorkerVariable();
+
   // osquery can function as the daemon or shell depending on argv[0].
   if (tool == ToolType::SHELL_DAEMON) {
     if (fs::path(argv[0]).filename().string().find("osqueryd") !=
@@ -482,7 +485,7 @@ void Initializer::initWorkerWatcher(const std::string& name) const {
 }
 
 bool Initializer::isWorker() {
-  return hasWorkerVariable();
+  return isWorker_;
 }
 
 bool Initializer::isWatcher() {

diff --git a/osquery/include/osquery/system.h b/osquery/include/osquery/system.h
@@ -206,6 +206,9 @@ class Initializer : private boost::noncopyable {
 
   /// The deduced program name determined by executing path.
   std::string binary_;
+
+  /// Is this a worker process
+  static bool isWorker_;
 };
 
 /**

diff --git a/osquery/process/windows/process.cpp b/osquery/process/windows/process.cpp
@@ -175,22 +175,6 @@ std::shared_ptr<PlatformProcess> PlatformProcess::launchWorker(
   handle_stream << hLauncherProcess;
   auto handle = handle_stream.str();
 
-  // In the POSIX version, the environment variable OSQUERY_WORKER is set to the
-  // string form of the child process' process ID. However, this is not easily
-  // doable on Windows. Since the value does not appear to be used by the rest
-  // of osquery, we currently just set it to '1'.
-  //
-  // For the worker case, we also set another environment variable,
-  // OSQUERY_LAUNCHER. OSQUERY_LAUNCHER stores the string form of a HANDLE to
-  // the current process. This is mostly used for detecting the death of the
-  // launcher process in WatcherWatcherRunner::start
-  if (!setEnvVar("OSQUERY_WORKER", "1") ||
-      !setEnvVar("OSQUERY_LAUNCHER", handle)) {
-    ::CloseHandle(hLauncherProcess);
-
-    return std::shared_ptr<PlatformProcess>();
-  }
-
   // Since Windows does not accept a char * array for arguments, we have to
   // build one as a string. Therefore, we need to make sure that special
   // characters are not present that would obstruct the parsing of arguments.
@@ -219,18 +203,41 @@ std::shared_ptr<PlatformProcess> PlatformProcess::launchWorker(
   std::vector<char> mutable_argv(cmdline.begin(), cmdline.end());
   mutable_argv.push_back('\0');
 
+  LPCH retrievedEnvironment = GetEnvironmentStringsA();
+  LPTSTR currentEnvironment = (LPTSTR)retrievedEnvironment;
+  std::stringstream childEnvironment;
+  while (*currentEnvironment) {
+    childEnvironment << currentEnvironment;
+    childEnvironment << '\0';
+    currentEnvironment += lstrlen(currentEnvironment) + 1;
+  }
+
+  FreeEnvironmentStrings(retrievedEnvironment);
+
+  // In the POSIX version, the environment variable OSQUERY_WORKER is set to the
+  // string form of the child process' process ID. However, this is not easily
+  // doable on Windows. Since the value does not appear to be used by the rest
+  // of osquery, we currently just set it to '1'.
+  //
+  // For the worker case, we also set another environment variable,
+  // OSQUERY_LAUNCHER. OSQUERY_LAUNCHER stores the string form of a HANDLE to
+  // the current process. This is mostly used for detecting the death of the
+  // launcher process in WatcherWatcherRunner::start
+  childEnvironment << "OSQUERY_WORKER=1" << '\0';
+  childEnvironment << "OSQUERY_LAUNCHER=" << handle << '\0' << '\0';
+
+  std::string environmentString = childEnvironment.str();
+
   auto status = ::CreateProcessA(exec_path.c_str(),
                                  mutable_argv.data(),
                                  nullptr,
                                  nullptr,
                                  TRUE,
                                  IDLE_PRIORITY_CLASS,
-                                 nullptr,
+                                 &environmentString[0],
                                  nullptr,
                                  &si,
                                  &pi);
-  unsetEnvVar("OSQUERY_WORKER");
-  unsetEnvVar("OSQUERY_LAUNCHER");
   ::CloseHandle(hLauncherProcess);
 
   if (!status) {