From b68ee97c8a83d594f11ca20fd6d4c5e1bb52b4b3 Mon Sep 17 00:00:00 2001
From: Sorin Jianu <sorin@chromium.org>
Date: Fri, 5 May 2023 11:21:50 -0700
Subject: [PATCH] Revert to using the metainstaller for elevating machine
 handoff installs

The previous CL used `GoogleUpdate.exe` for elevating machine installs. However, this made machine installs elevate from the `TMP` directory, which is insecure. This CL reverts to using the metainstaller for elevating machine handoff installs, as it was before.

This CL does keep the setup changes of not copying the metainstaller to the versioned install directory. The metainstaller was previously needed for cross-install scenarios, i.e., a user installation /handoff doing a machine install, where elevating the entire metainstaller was safer. However, that scenario was only used by the ActiveX/plugin code, and is no longer in use.
---
 omaha/client/install.cc        |  7 +++----
 omaha/common/goopdate_utils.cc | 32 +++++++++++++++++++++-----------
 omaha/common/goopdate_utils.h  |  5 +++--
 3 files changed, 27 insertions(+), 17 deletions(-)

diff --git a/omaha/client/install.cc b/omaha/client/install.cc
index 02ea89163..2cccdc436 100644
--- a/omaha/client/install.cc
+++ b/omaha/client/install.cc
@@ -247,11 +247,10 @@ HRESULT ElevateAndWait(const CString& cmd_line, DWORD* exit_code) {
   SafeCStringAppendFormat(&cmd_line_elevated, _T(" /%s"),
                           kCmdLineInstallElevated);
 
-  HRESULT hr = goopdate_utils::StartElevatedSelfWithArgsAndWait(
-      cmd_line_elevated, exit_code);
+  HRESULT hr = goopdate_utils::StartElevatedMetainstaller(cmd_line_elevated,
+                                                          exit_code);
   if (FAILED(hr)) {
-    OPT_LOG(LE,
-            (_T("[Elevated GoogleUpdate.exe failed][%s][%#x]"), cmd_line, hr));
+    OPT_LOG(LE, (_T("[Elevated metainstaller failed][%s][%#x]"), cmd_line, hr));
 
     // TODO(omaha3): Report hr somehow. Was reported in extra code in Omaha 2.
     if (vista_util::IsUserNonElevatedAdmin()) {
diff --git a/omaha/common/goopdate_utils.cc b/omaha/common/goopdate_utils.cc
index 96b721c38..ee1eabcd0 100644
--- a/omaha/common/goopdate_utils.cc
+++ b/omaha/common/goopdate_utils.cc
@@ -308,29 +308,39 @@ CString BuildGoogleUpdateServicesEnclosedPath(bool is_machine, bool use64bit) {
   return path;
 }
 
-HRESULT StartElevatedSelfWithArgsAndWait(const TCHAR* args, DWORD* exit_code) {
+HRESULT StartElevatedMetainstaller(const TCHAR* args, DWORD* exit_code) {
   ASSERT1(args);
   ASSERT1(exit_code);
+  CORE_LOG(L3, (_T("[StartElevatedMetainstaller]")));
 
-  CORE_LOG(L3, (_T("[StartElevatedSelfWithArgsAndWait]")));
+  CPath metainstaller_path(app_util::GetCurrentModuleDirectory());
+  VERIFY1(metainstaller_path.Append(kOmahaMetainstallerFileName));
+  if (!File::Exists(metainstaller_path)) {
+    return GOOPDATE_E_METAINSTALLER_NOT_FOUND;
+  }
 
-  // Get the process executable.
-  const CString filename(app_util::GetModulePath(NULL));
+  // In case the metainstaller has been tagged, append the /no_mi_tag switch
+  // to the end of the command line to signal the MI to not append its tag.
+  // The MI will remove the switch before launching the constant shell.
+  // TODO(omaha): Once the ApplyTag library has been refactored to allow
+  // removal/truncation of tags, remove the tag as part of setup (so that the
+  // MI in the permanent install is always untagged) and eliminate this switch.
+  CString new_args;
+  SafeCStringFormat(&new_args, _T("%s /%s"), args, kCmdLineNoMetainstallerTag);
 
-  // Launch self elevated and wait.
+  // Launch metainstaller elevated and wait.
   *exit_code = 0;
-  CORE_LOG(L3, (_T("[Elevating][%s][%s]"), filename, args));
+  CORE_LOG(L3, (_T("[Elevating][%s][%s]"), metainstaller_path, new_args));
 
   // According to the MSDN documentation for ::ShowWindow: "nCmdShow. This
   // parameter is ignored the first time an application calls ShowWindow, if
   // the program that launched the application provides a STARTUPINFO
   // structure.". We want to force showing the UI window. So we pass in
   // SW_SHOWNORMAL.
-  HRESULT hr =
-      vista_util::RunElevated(filename,
-                              args,
-                              SW_SHOWNORMAL,
-                              exit_code);
+  HRESULT hr = vista_util::RunElevated(metainstaller_path,
+                                       new_args,
+                                       SW_SHOWNORMAL,
+                                       exit_code);
   CORE_LOG(L3, (_T("[elevated instance exit code][%u]"), *exit_code));
 
   if (FAILED(hr)) {
diff --git a/omaha/common/goopdate_utils.h b/omaha/common/goopdate_utils.h
index ed1ad30b4..0e1d032ca 100644
--- a/omaha/common/goopdate_utils.h
+++ b/omaha/common/goopdate_utils.h
@@ -100,8 +100,9 @@ HRESULT StartGoogleUpdateWithArgs(bool is_machine,
 // if we're running on a 64-bit OS.
 HRESULT StartCrashHandler(bool is_machine);
 
-// Runs the current executable in an elevated mode using the "Runas" verb.
-HRESULT StartElevatedSelfWithArgsAndWait(const TCHAR* args, DWORD* exit_code);
+// Starts the metainstaller in the same directory as the current module in an
+// elevated mode using the "Runas" verb.
+HRESULT StartElevatedMetainstaller(const TCHAR* args, DWORD* exit_code);
 
 // Registers security and sets the security values for the GoogleUpdate
 // process when running as a COM server.