From f7e89bb349d4512b47f94b545e3f489a85e851f0 Mon Sep 17 00:00:00 2001
From: Jian He <jianhe@apache.org>
Date: Fri, 24 Oct 2014 12:48:57 -0700
Subject: [PATCH] HADOOP-11228. Winutils task: unsecure path should not call
 AddNodeManagerAndUserACEsToObject. Contributed by Remus Rusanu

---
 hadoop-common-project/hadoop-common/CHANGES.txt    |  3 +++
 .../hadoop-common/src/main/winutils/task.c         | 14 +++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 7b48a4b588..8feed6552f 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -339,6 +339,9 @@ Trunk (Unreleased)
     HADOOP-11022. User replaced functions get lost 2-3 levels deep (e.g., 
     sbin) (aw)
 
+    HADOOP-11228. Winutils task: unsecure path should not call
+    AddNodeManagerAndUserACEsToObject. (Remus Rusanu via jianhe)
+
   OPTIMIZATIONS
 
     HADOOP-7761. Improve the performance of raw comparisons. (todd)
diff --git a/hadoop-common-project/hadoop-common/src/main/winutils/task.c b/hadoop-common-project/hadoop-common/src/main/winutils/task.c
index f0fc19a754..bfdbd63710 100644
--- a/hadoop-common-project/hadoop-common/src/main/winutils/task.c
+++ b/hadoop-common-project/hadoop-common/src/main/winutils/task.c
@@ -627,11 +627,13 @@ DWORD CreateTaskImpl(__in_opt HANDLE logonHandle, __in PCWSTR jobObjName,__in PC
     return dwErrorCode;
   }
 
-  dwErrorCode = AddNodeManagerAndUserACEsToObject(jobObject, userName, JOB_OBJECT_ALL_ACCESS);
-  if (dwErrorCode) {
-    ReportErrorCode(L"AddNodeManagerAndUserACEsToObject", dwErrorCode);
-    CloseHandle(jobObject);
-    return dwErrorCode;
+  if (logonHandle != NULL) {
+    dwErrorCode = AddNodeManagerAndUserACEsToObject(jobObject, userName, JOB_OBJECT_ALL_ACCESS);
+    if (dwErrorCode) {
+      ReportErrorCode(L"AddNodeManagerAndUserACEsToObject", dwErrorCode);
+      CloseHandle(jobObject);
+      return dwErrorCode;
+    }
   }
 
   if(AssignProcessToJobObject(jobObject, GetCurrentProcess()) == 0)
@@ -706,6 +708,8 @@ DWORD CreateTaskImpl(__in_opt HANDLE logonHandle, __in PCWSTR jobObjName,__in PC
          dwErrorCode = GetLastError();
          ReportErrorCode(L"CreateProcess", dwErrorCode);
       }
+
+    // task create (w/o createAsUser) does not need the ACEs change on the process
     goto create_process_done;
   }