HADOOP-11228. Winutils task: unsecure path should not call AddNodeManagerAndUserACEsToObject. Contributed by Remus Rusanu

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -339,6 +339,9 @@ Trunk (Unreleased)
     HADOOP-11022. User replaced functions get lost 2-3 levels deep (e.g., 
     sbin) (aw)
 
+    HADOOP-11228. Winutils task: unsecure path should not call
+    AddNodeManagerAndUserACEsToObject. (Remus Rusanu via jianhe)
+
   OPTIMIZATIONS
 
     HADOOP-7761. Improve the performance of raw comparisons. (todd)

hadoop-common-project/hadoop-common/src/main/winutils/task.c

@@ -627,11 +627,13 @@ DWORD CreateTaskImpl(__in_opt HANDLE logonHandle, __in PCWSTR jobObjName,__in PC
     return dwErrorCode;
   }
 
-  dwErrorCode = AddNodeManagerAndUserACEsToObject(jobObject, userName, JOB_OBJECT_ALL_ACCESS);
-  if (dwErrorCode) {
-    ReportErrorCode(L"AddNodeManagerAndUserACEsToObject", dwErrorCode);
-    CloseHandle(jobObject);
-    return dwErrorCode;
+  if (logonHandle != NULL) {
+    dwErrorCode = AddNodeManagerAndUserACEsToObject(jobObject, userName, JOB_OBJECT_ALL_ACCESS);
+    if (dwErrorCode) {
+      ReportErrorCode(L"AddNodeManagerAndUserACEsToObject", dwErrorCode);
+      CloseHandle(jobObject);
+      return dwErrorCode;
+    }
   }
 
   if(AssignProcessToJobObject(jobObject, GetCurrentProcess()) == 0)
@@ -706,6 +708,8 @@ DWORD CreateTaskImpl(__in_opt HANDLE logonHandle, __in PCWSTR jobObjName,__in PC
          dwErrorCode = GetLastError();
          ReportErrorCode(L"CreateProcess", dwErrorCode);
       }
+
+    // task create (w/o createAsUser) does not need the ACEs change on the process
     goto create_process_done;
   }