Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commiteda7802

Browse files
committed
start-scripts: switch to $PGUSER before opening $PGLOG.
By default, $PGUSER has permission to unlink $PGLOG. If $PGUSERreplaces $PGLOG with a symbolic link, the server will corrupt thelink-targeted file by appending log messages. Since these scripts open$PGLOG as root, the attack works regardless of target file ownership."make install" does not install these scripts anywhere. Users havingmanually installed them in the past should repeat that process toacquire this fix. Most script users have $PGLOG writable to root only,located in $PGDATA. Just before updating one of these scripts, suchusers should rename $PGLOG to $PGLOG.old. The script will then recreate$PGLOG with proper ownership.Reviewed by Peter Eisentraut. Reported by Antoine Scemama.Security:CVE-2017-12172
1 parentf6a9267 commiteda7802

File tree

3 files changed

+8
-8
lines changed

3 files changed

+8
-8
lines changed

‎contrib/start-scripts/freebsd

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,15 +44,15 @@ test -x $DAEMON ||
4444

4545
case$1in
4646
start)
47-
su -l$PGUSER -c"$DAEMON -D '$PGDATA'&">>$PGLOG2>&1
47+
su -l$PGUSER -c"$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
4848
echo -n' postgresql'
4949
;;
5050
stop)
5151
su -l$PGUSER -c"$PGCTL stop -D '$PGDATA' -s -m fast"
5252
;;
5353
restart)
5454
su -l$PGUSER -c"$PGCTL stop -D '$PGDATA' -s -m fast -w"
55-
su -l$PGUSER -c"$DAEMON -D '$PGDATA'&">>$PGLOG2>&1
55+
su -l$PGUSER -c"$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
5656
;;
5757
status)
5858
su -l$PGUSER -c"$PGCTL status -D '$PGDATA'"

‎contrib/start-scripts/linux

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ case $1 in
8484
echo -n"Starting PostgreSQL:"
8585
test x"$OOM_SCORE_ADJ"!= x&&echo"$OOM_SCORE_ADJ"> /proc/self/oom_score_adj
8686
test x"$OOM_ADJ"!= x&&echo"$OOM_ADJ"> /proc/self/oom_adj
87-
su -$PGUSER -c"$DAEMON -D '$PGDATA'&">>$PGLOG2>&1
87+
su -$PGUSER -c"$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
8888
echo"ok"
8989
;;
9090
stop)
@@ -97,7 +97,7 @@ case $1 in
9797
su -$PGUSER -c"$PGCTL stop -D '$PGDATA' -s -m fast -w"
9898
test x"$OOM_SCORE_ADJ"!= x&&echo"$OOM_SCORE_ADJ"> /proc/self/oom_score_adj
9999
test x"$OOM_ADJ"!= x&&echo"$OOM_ADJ"> /proc/self/oom_adj
100-
su -$PGUSER -c"$DAEMON -D '$PGDATA'&">>$PGLOG2>&1
100+
su -$PGUSER -c"$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
101101
echo"ok"
102102
;;
103103
reload)

‎contrib/start-scripts/osx/PostgreSQL

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -85,9 +85,9 @@ StartService () {
8585
if ["${POSTGRESQL:=-NO-}"="-YES-" ];then
8686
ConsoleMessage"Starting PostgreSQL database server"
8787
if ["${ROTATELOGS}"="1" ];then
88-
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'&"2>&1|${LOGUTIL}"${PGLOG}"${ROTATESEC}&
88+
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}' 2>&1 |${LOGUTIL}\"${PGLOG}\"${ROTATESEC} &"
8989
else
90-
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'&">>"$PGLOG"2>&1
90+
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'>>\"$PGLOG\" 2>&1 &"
9191
fi
9292
fi
9393
}
@@ -104,9 +104,9 @@ RestartService () {
104104
sudo -u$PGUSER sh -c"$PGCTL stop -D '${PGDATA}' -s -m fast"
105105
# should match StartService:
106106
if ["${ROTATELOGS}"="1" ];then
107-
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'&"2>&1|${LOGUTIL}"${PGLOG}"${ROTATESEC}&
107+
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}' 2>&1 |${LOGUTIL}\"${PGLOG}\"${ROTATESEC} &"
108108
else
109-
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'&">>"$PGLOG"2>&1
109+
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'>>\"$PGLOG\" 2>&1 &"
110110
fi
111111
else
112112
StopService

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp