Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitb500297

Browse files
committed
start-scripts: switch to $PGUSER before opening $PGLOG.
By default, $PGUSER has permission to unlink $PGLOG. If $PGUSERreplaces $PGLOG with a symbolic link, the server will corrupt thelink-targeted file by appending log messages. Since these scripts open$PGLOG as root, the attack works regardless of target file ownership."make install" does not install these scripts anywhere. Users havingmanually installed them in the past should repeat that process toacquire this fix. Most script users have $PGLOG writable to root only,located in $PGDATA. Just before updating one of these scripts, suchusers should rename $PGLOG to $PGLOG.old. The script will then recreate$PGLOG with proper ownership.Reviewed by Peter Eisentraut. Reported by Antoine Scemama.Security:CVE-2017-12172
1 parent1ea3f6a commitb500297

File tree

3 files changed

+8
-8
lines changed

3 files changed

+8
-8
lines changed

‎contrib/start-scripts/freebsd

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,15 +44,15 @@ test -x $DAEMON ||
4444

4545
case$1in
4646
start)
47-
su -l$PGUSER -c"$DAEMON -D '$PGDATA'&">>$PGLOG2>&1
47+
su -l$PGUSER -c"$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
4848
echo -n' postgresql'
4949
;;
5050
stop)
5151
su -l$PGUSER -c"$PGCTL stop -D '$PGDATA' -s -m fast"
5252
;;
5353
restart)
5454
su -l$PGUSER -c"$PGCTL stop -D '$PGDATA' -s -m fast -w"
55-
su -l$PGUSER -c"$DAEMON -D '$PGDATA'&">>$PGLOG2>&1
55+
su -l$PGUSER -c"$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
5656
;;
5757
status)
5858
su -l$PGUSER -c"$PGCTL status -D '$PGDATA'"

‎contrib/start-scripts/linux

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ case $1 in
8484
echo -n"Starting PostgreSQL:"
8585
test x"$OOM_SCORE_ADJ"!= x&&echo"$OOM_SCORE_ADJ"> /proc/self/oom_score_adj
8686
test x"$OOM_ADJ"!= x&&echo"$OOM_ADJ"> /proc/self/oom_adj
87-
su -$PGUSER -c"$DAEMON -D '$PGDATA'&">>$PGLOG2>&1
87+
su -$PGUSER -c"$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
8888
echo"ok"
8989
;;
9090
stop)
@@ -97,7 +97,7 @@ case $1 in
9797
su -$PGUSER -c"$PGCTL stop -D '$PGDATA' -s -m fast -w"
9898
test x"$OOM_SCORE_ADJ"!= x&&echo"$OOM_SCORE_ADJ"> /proc/self/oom_score_adj
9999
test x"$OOM_ADJ"!= x&&echo"$OOM_ADJ"> /proc/self/oom_adj
100-
su -$PGUSER -c"$DAEMON -D '$PGDATA'&">>$PGLOG2>&1
100+
su -$PGUSER -c"$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
101101
echo"ok"
102102
;;
103103
reload)

‎contrib/start-scripts/osx/PostgreSQL

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -81,9 +81,9 @@ StartService () {
8181
if ["${POSTGRESQL:=-NO-}"="-YES-" ];then
8282
ConsoleMessage"Starting PostgreSQL database server"
8383
if ["${ROTATELOGS}"="1" ];then
84-
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'&"2>&1|${LOGUTIL}"${PGLOG}"${ROTATESEC}&
84+
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}' 2>&1 |${LOGUTIL}\"${PGLOG}\"${ROTATESEC} &"
8585
else
86-
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'&">>"$PGLOG"2>&1
86+
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'>>\"$PGLOG\" 2>&1 &"
8787
fi
8888
fi
8989
}
@@ -100,9 +100,9 @@ RestartService () {
100100
sudo -u$PGUSER sh -c"$PGCTL stop -D '${PGDATA}' -s -m fast"
101101
# should match StartService:
102102
if ["${ROTATELOGS}"="1" ];then
103-
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'&"2>&1|${LOGUTIL}"${PGLOG}"${ROTATESEC}&
103+
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}' 2>&1 |${LOGUTIL}\"${PGLOG}\"${ROTATESEC} &"
104104
else
105-
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'&">>"$PGLOG"2>&1
105+
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'>>\"$PGLOG\" 2>&1 &"
106106
fi
107107
else
108108
StopService

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp