Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitb7d6f75

Browse files
committed
start-scripts: switch to $PGUSER before opening $PGLOG.
By default, $PGUSER has permission to unlink $PGLOG. If $PGUSERreplaces $PGLOG with a symbolic link, the server will corrupt thelink-targeted file by appending log messages. Since these scripts open$PGLOG as root, the attack works regardless of target file ownership."make install" does not install these scripts anywhere. Users havingmanually installed them in the past should repeat that process toacquire this fix. Most script users have $PGLOG writable to root only,located in $PGDATA. Just before updating one of these scripts, suchusers should rename $PGLOG to $PGLOG.old. The script will then recreate$PGLOG with proper ownership.Reviewed by Peter Eisentraut. Reported by Antoine Scemama.Security:CVE-2017-12172
1 parent1f23d1c commitb7d6f75

File tree

3 files changed

+8
-8
lines changed

3 files changed

+8
-8
lines changed

‎contrib/start-scripts/freebsd

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,15 +44,15 @@ test -x $DAEMON ||
4444

4545
case$1in
4646
start)
47-
su -l$PGUSER -c"$DAEMON -D '$PGDATA'&">>$PGLOG2>&1
47+
su -l$PGUSER -c"$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
4848
echo -n' postgresql'
4949
;;
5050
stop)
5151
su -l$PGUSER -c"$PGCTL stop -D '$PGDATA' -s -m fast"
5252
;;
5353
restart)
5454
su -l$PGUSER -c"$PGCTL stop -D '$PGDATA' -s -m fast -w"
55-
su -l$PGUSER -c"$DAEMON -D '$PGDATA'&">>$PGLOG2>&1
55+
su -l$PGUSER -c"$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
5656
;;
5757
status)
5858
su -l$PGUSER -c"$PGCTL status -D '$PGDATA'"

‎contrib/start-scripts/linux

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,7 @@ case $1 in
9292
start)
9393
echo -n"Starting PostgreSQL:"
9494
test -e"$PG_OOM_ADJUST_FILE"&&echo"$PG_MASTER_OOM_SCORE_ADJ">"$PG_OOM_ADJUST_FILE"
95-
su -$PGUSER -c"$DAEMON_ENV$DAEMON -D '$PGDATA'&">>$PGLOG2>&1
95+
su -$PGUSER -c"$DAEMON_ENV$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
9696
echo"ok"
9797
;;
9898
stop)
@@ -104,7 +104,7 @@ case $1 in
104104
echo -n"Restarting PostgreSQL:"
105105
su -$PGUSER -c"$PGCTL stop -D '$PGDATA' -s -m fast -w"
106106
test -e"$PG_OOM_ADJUST_FILE"&&echo"$PG_MASTER_OOM_SCORE_ADJ">"$PG_OOM_ADJUST_FILE"
107-
su -$PGUSER -c"$DAEMON_ENV$DAEMON -D '$PGDATA'&">>$PGLOG2>&1
107+
su -$PGUSER -c"$DAEMON_ENV$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
108108
echo"ok"
109109
;;
110110
reload)

‎contrib/start-scripts/osx/PostgreSQL

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -81,9 +81,9 @@ StartService () {
8181
if ["${POSTGRESQL:=-NO-}"="-YES-" ];then
8282
ConsoleMessage"Starting PostgreSQL database server"
8383
if ["${ROTATELOGS}"="1" ];then
84-
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'&"2>&1|${LOGUTIL}"${PGLOG}"${ROTATESEC}&
84+
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}' 2>&1 |${LOGUTIL}\"${PGLOG}\"${ROTATESEC} &"
8585
else
86-
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'&">>"$PGLOG"2>&1
86+
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'>>\"$PGLOG\" 2>&1 &"
8787
fi
8888
fi
8989
}
@@ -100,9 +100,9 @@ RestartService () {
100100
sudo -u$PGUSER sh -c"$PGCTL stop -D '${PGDATA}' -s -m fast"
101101
# should match StartService:
102102
if ["${ROTATELOGS}"="1" ];then
103-
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'&"2>&1|${LOGUTIL}"${PGLOG}"${ROTATESEC}&
103+
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}' 2>&1 |${LOGUTIL}\"${PGLOG}\"${ROTATESEC} &"
104104
else
105-
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'&">>"$PGLOG"2>&1
105+
sudo -u$PGUSER sh -c"${DAEMON} -D '${PGDATA}'>>\"$PGLOG\" 2>&1 &"
106106
fi
107107
else
108108
StopService

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp