Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit1341e01

Browse files
committed
Ensure that all temp files made during pg_upgrade are non-world-readable.
pg_upgrade has always attempted to ensure that the transient dump filesit creates are inaccessible except to the owner. However, refactoringin commit76a7650 broke that for the file containing "pg_dumpall -g"output; since then, that file was protected according to the process'sdefault umask. Since that file may contain role passwords (hopefullyencrypted, but passwords nonetheless), this is a particularly unfortunateoversight. Prudent users of pg_upgrade on multiuser systems wouldprobably run it under a umask tight enough that the issue is moot, butperhaps some users are depending only on pg_upgrade's umask changes toprotect their data.To fix this in a future-proof way, let's just tighten the umask atprocess start. There are no files pg_upgrade needs to write at aweaker security level; and if there were, transiently relaxing theumask around where they're created would be a safer approach.Report and patch by Tom Lane; the idea for the fix is due to Noah Misch.Back-patch to all supported branches.Security:CVE-2018-1053
1 parentb2e15d3 commit1341e01

File tree

4 files changed

+6
-26
lines changed

4 files changed

+6
-26
lines changed

‎src/bin/pg_upgrade/dump.c

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,6 @@ void
1919
generate_old_dump(void)
2020
{
2121
intdbnum;
22-
mode_told_umask;
2322

2423
prep_status("Creating dump of global objects");
2524

@@ -34,13 +33,6 @@ generate_old_dump(void)
3433

3534
prep_status("Creating dump of database schemas\n");
3635

37-
/*
38-
* Set umask for this function, all functions it calls, and all
39-
* subprocesses/threads it creates. We can't use fopen_priv() as Windows
40-
* uses threads and umask is process-global.
41-
*/
42-
old_umask=umask(S_IRWXG |S_IRWXO);
43-
4436
/* create per-db dump files */
4537
for (dbnum=0;dbnum<old_cluster.dbarr.ndbs;dbnum++)
4638
{
@@ -75,8 +67,6 @@ generate_old_dump(void)
7567
while (reap_child(true)== true)
7668
;
7769

78-
umask(old_umask);
79-
8070
end_progress_output();
8171
check_ok();
8272
}

‎src/bin/pg_upgrade/file.c

Lines changed: 0 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -314,18 +314,3 @@ win32_pghardlink(const char *src, const char *dst)
314314
return0;
315315
}
316316
#endif
317-
318-
319-
/* fopen() file with no group/other permissions */
320-
FILE*
321-
fopen_priv(constchar*path,constchar*mode)
322-
{
323-
mode_told_umask=umask(S_IRWXG |S_IRWXO);
324-
FILE*fp;
325-
326-
fp=fopen(path,mode);
327-
328-
umask(old_umask);/* we assume this can't change errno */
329-
330-
returnfp;
331-
}

‎src/bin/pg_upgrade/pg_upgrade.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,9 @@ main(int argc, char **argv)
7575
char*deletion_script_file_name=NULL;
7676
boollive_check= false;
7777

78+
/* Ensure that all files created by pg_upgrade are non-world-readable */
79+
umask(S_IRWXG |S_IRWXO);
80+
7881
parseCommandLine(argc,argv);
7982

8083
get_restricted_token(os_info.progname);

‎src/bin/pg_upgrade/pg_upgrade.h

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -374,7 +374,9 @@ void linkFile(const char *src, const char *dst,
374374
voidrewriteVisibilityMap(constchar*fromfile,constchar*tofile,
375375
constchar*schemaName,constchar*relName);
376376
voidcheck_hard_link(void);
377-
FILE*fopen_priv(constchar*path,constchar*mode);
377+
378+
/* fopen_priv() is no longer different from fopen() */
379+
#definefopen_priv(path,mode)fopen(path, mode)
378380

379381
/* function.c */
380382

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp