Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit17aa023

Browse files
committed
Ensure that all temp files made during pg_upgrade are non-world-readable.
pg_upgrade has always attempted to ensure that the transient dump filesit creates are inaccessible except to the owner. However, refactoringin commit76a7650 broke that for the file containing "pg_dumpall -g"output; since then, that file was protected according to the process'sdefault umask. Since that file may contain role passwords (hopefullyencrypted, but passwords nonetheless), this is a particularly unfortunateoversight. Prudent users of pg_upgrade on multiuser systems wouldprobably run it under a umask tight enough that the issue is moot, butperhaps some users are depending only on pg_upgrade's umask changes toprotect their data.To fix this in a future-proof way, let's just tighten the umask atprocess start. There are no files pg_upgrade needs to write at aweaker security level; and if there were, transiently relaxing theumask around where they're created would be a safer approach.Report and patch by Tom Lane; the idea for the fix is due to Noah Misch.Back-patch to all supported branches.Security:CVE-2018-1053
1 parent0878b91 commit17aa023

File tree

4 files changed

+6
-25
lines changed

4 files changed

+6
-25
lines changed

‎src/bin/pg_upgrade/dump.c‎

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,6 @@ void
1818
generate_old_dump(void)
1919
{
2020
intdbnum;
21-
mode_told_umask;
2221

2322
prep_status("Creating dump of global objects");
2423

@@ -33,13 +32,6 @@ generate_old_dump(void)
3332

3433
prep_status("Creating dump of database schemas\n");
3534

36-
/*
37-
* Set umask for this function, all functions it calls, and all
38-
* subprocesses/threads it creates. We can't use fopen_priv() as Windows
39-
* uses threads and umask is process-global.
40-
*/
41-
old_umask=umask(S_IRWXG |S_IRWXO);
42-
4335
/* create per-db dump files */
4436
for (dbnum=0;dbnum<old_cluster.dbarr.ndbs;dbnum++)
4537
{
@@ -74,8 +66,6 @@ generate_old_dump(void)
7466
while (reap_child(true)== true)
7567
;
7668

77-
umask(old_umask);
78-
7969
end_progress_output();
8070
check_ok();
8171
}

‎src/bin/pg_upgrade/file.c‎

Lines changed: 0 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -238,17 +238,3 @@ win32_pghardlink(const char *src, const char *dst)
238238
return0;
239239
}
240240
#endif
241-
242-
243-
/* fopen() file with no group/other permissions */
244-
FILE*
245-
fopen_priv(constchar*path,constchar*mode)
246-
{
247-
mode_told_umask=umask(S_IRWXG |S_IRWXO);
248-
FILE*fp;
249-
250-
fp=fopen(path,mode);
251-
umask(old_umask);
252-
253-
returnfp;
254-
}

‎src/bin/pg_upgrade/pg_upgrade.c‎

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,9 @@ main(int argc, char **argv)
7474
char*deletion_script_file_name=NULL;
7575
boollive_check= false;
7676

77+
/* Ensure that all files created by pg_upgrade are non-world-readable */
78+
umask(S_IRWXG |S_IRWXO);
79+
7780
parseCommandLine(argc,argv);
7881

7982
get_restricted_token(os_info.progname);

‎src/bin/pg_upgrade/pg_upgrade.h‎

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -400,7 +400,9 @@ const char *linkAndUpdateFile(pageCnvCtx *pageConverter, const char *src,
400400
constchar*dst);
401401

402402
voidcheck_hard_link(void);
403-
FILE*fopen_priv(constchar*path,constchar*mode);
403+
404+
/* fopen_priv() is no longer different from fopen() */
405+
#definefopen_priv(path,mode)fopen(path, mode)
404406

405407
/* function.c */
406408

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp