Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit9c59e48

Browse files
committed
Ensure that all temp files made during pg_upgrade are non-world-readable.
pg_upgrade has always attempted to ensure that the transient dump filesit creates are inaccessible except to the owner. However, refactoringin commit76a7650 broke that for the file containing "pg_dumpall -g"output; since then, that file was protected according to the process'sdefault umask. Since that file may contain role passwords (hopefullyencrypted, but passwords nonetheless), this is a particularly unfortunateoversight. Prudent users of pg_upgrade on multiuser systems wouldprobably run it under a umask tight enough that the issue is moot, butperhaps some users are depending only on pg_upgrade's umask changes toprotect their data.To fix this in a future-proof way, let's just tighten the umask atprocess start. There are no files pg_upgrade needs to write at aweaker security level; and if there were, transiently relaxing theumask around where they're created would be a safer approach.Report and patch by Tom Lane; the idea for the fix is due to Noah Misch.Back-patch to all supported branches.Security:CVE-2018-1053
1 parentb76aa1f commit9c59e48

File tree

4 files changed

+6
-25
lines changed

4 files changed

+6
-25
lines changed

‎contrib/pg_upgrade/dump.c‎

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,6 @@ void
1818
generate_old_dump(void)
1919
{
2020
intdbnum;
21-
mode_told_umask;
2221

2322
prep_status("Creating dump of global objects");
2423

@@ -33,13 +32,6 @@ generate_old_dump(void)
3332

3433
prep_status("Creating dump of database schemas\n");
3534

36-
/*
37-
* Set umask for this function, all functions it calls, and all
38-
* subprocesses/threads it creates. We can't use fopen_priv()
39-
* as Windows uses threads and umask is process-global.
40-
*/
41-
old_umask=umask(S_IRWXG |S_IRWXO);
42-
4335
/* create per-db dump files */
4436
for (dbnum=0;dbnum<old_cluster.dbarr.ndbs;dbnum++)
4537
{
@@ -74,8 +66,6 @@ generate_old_dump(void)
7466
while (reap_child(true)== true)
7567
;
7668

77-
umask(old_umask);
78-
7969
end_progress_output();
8070
check_ok();
8171
}

‎contrib/pg_upgrade/file.c‎

Lines changed: 0 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -239,17 +239,3 @@ win32_pghardlink(const char *src, const char *dst)
239239
return0;
240240
}
241241
#endif
242-
243-
244-
/* fopen() file with no group/other permissions */
245-
FILE*
246-
fopen_priv(constchar*path,constchar*mode)
247-
{
248-
mode_told_umask=umask(S_IRWXG |S_IRWXO);
249-
FILE*fp;
250-
251-
fp=fopen(path,mode);
252-
umask(old_umask);
253-
254-
returnfp;
255-
}

‎contrib/pg_upgrade/pg_upgrade.c‎

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,9 @@ main(int argc, char **argv)
8383
char*deletion_script_file_name=NULL;
8484
boollive_check= false;
8585

86+
/* Ensure that all files created by pg_upgrade are non-world-readable */
87+
umask(S_IRWXG |S_IRWXO);
88+
8689
parseCommandLine(argc,argv);
8790

8891
get_restricted_token(os_info.progname);

‎contrib/pg_upgrade/pg_upgrade.h‎

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -385,7 +385,9 @@ const char *linkAndUpdateFile(pageCnvCtx *pageConverter, const char *src,
385385
constchar*dst);
386386

387387
voidcheck_hard_link(void);
388-
FILE*fopen_priv(constchar*path,constchar*mode);
388+
389+
/* fopen_priv() is no longer different from fopen() */
390+
#definefopen_priv(path,mode)fopen(path, mode)
389391

390392
/* function.c */
391393

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp