Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitd1bfa6c

Browse files
committed
Add runtime configuration options to control permission bits and group
owner of unix socket.
1 parent855ffa0 commitd1bfa6c

File tree

5 files changed

+135
-9
lines changed

5 files changed

+135
-9
lines changed

‎doc/src/sgml/runtime.sgml

Lines changed: 52 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.30 2000/10/2014:00:49 thomas Exp $
2+
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.31 2000/11/01 21:14:00 petere Exp $
33
-->
44

55
<Chapter Id="runtime">
@@ -1031,6 +1031,57 @@ env PGOPTIONS='--geqo=off' psql
10311031
</para>
10321032
</listitem>
10331033
</varlistentry>
1034+
1035+
<varlistentry>
1036+
<term>UNIX_SOCKET_GROUP (<type>string</type>)</term>
1037+
<listitem>
1038+
<para>
1039+
Sets the group owner of the Unix domain socket. (The owning
1040+
user of the socket is always the user that starts the
1041+
postmaster.) In combination with the option
1042+
<option>UNIX_SOCKET_PERMISSIONS</option> this can be used as
1043+
an additional access control mechanism for this socket type.
1044+
By default this is the empty string, which uses the default
1045+
group for the current user. This option can only be set at
1046+
server start.
1047+
</para>
1048+
</listitem>
1049+
</varlistentry>
1050+
1051+
<varlistentry>
1052+
<term>UNIX_SOCKET_PERMISSIONS (<type>integer</type>)</term>
1053+
<listitem>
1054+
<para>
1055+
Sets the access permissions of the Unix domain socket. Unix
1056+
domain sockets use the usual Unix file system permission set.
1057+
The option value is expected to be an numeric mode
1058+
specification in the form accepted by the
1059+
<function>chmod</function> and <function>umask</function>
1060+
system calls. (To use the customary octal format the number
1061+
must start with a <literal>0</literal> (zero).)
1062+
</para>
1063+
1064+
<para>
1065+
The default permissions are <literal>0777</literal>, meaning
1066+
anyone can connect. Reasonable alternatives would be
1067+
<literal>0770</literal> (only user and group, see also under
1068+
<option>UNIX_SOCKET_GROUP</option>) and
1069+
<literal>0700</literal> (only user). (Note that actually for
1070+
a Unix socket, only write permission matters and there is no
1071+
point in setting or revoking read or execute permissions.)
1072+
</para>
1073+
1074+
<para>
1075+
This access control mechanism is independent from the one
1076+
described in <xref linkend="client-authentication">.
1077+
</para>
1078+
1079+
<para>
1080+
This option can only be set at server start.
1081+
</para>
1082+
</listitem>
1083+
</varlistentry>
1084+
10341085
</variablelist>
10351086
</para>
10361087
</sect2>

‎src/backend/libpq/pqcomm.c

Lines changed: 62 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@
2929
* Portions Copyright (c) 1996-2000, PostgreSQL, Inc
3030
* Portions Copyright (c) 1994, Regents of the University of California
3131
*
32-
*$Id: pqcomm.c,v 1.108 2000/10/2314:48:50 momjian Exp $
32+
*$Id: pqcomm.c,v 1.109 2000/11/01 21:14:01 petere Exp $
3333
*
3434
*-------------------------------------------------------------------------
3535
*/
@@ -63,6 +63,7 @@
6363
#include<signal.h>
6464
#include<errno.h>
6565
#include<fcntl.h>
66+
#include<grp.h>
6667
#include<unistd.h>
6768
#include<sys/types.h>
6869
#include<sys/stat.h>
@@ -84,6 +85,13 @@
8485
#endif
8586

8687

88+
/*
89+
* Configuration options
90+
*/
91+
intUnix_socket_permissions;
92+
char*Unix_socket_group;
93+
94+
8795
/*
8896
* Buffers for low-level I/O
8997
*/
@@ -295,8 +303,60 @@ StreamServerPort(int family, unsigned short portName, int *fdP)
295303
*/
296304

297305
*fdP=fd;
306+
298307
if (family==AF_UNIX)
299-
chmod(sock_path,0777);
308+
{
309+
Assert(Unix_socket_group);
310+
if (Unix_socket_group[0]!='\0')
311+
{
312+
char*endptr;
313+
unsigned longintval;
314+
gid_tgid;
315+
316+
val=strtoul(Unix_socket_group,&endptr,10);
317+
if (*endptr=='\0')
318+
{
319+
/* numeric group id */
320+
gid=val;
321+
}
322+
else
323+
{
324+
/* convert group name to id */
325+
structgroup*gr;
326+
327+
gr=getgrnam(Unix_socket_group);
328+
if (!gr)
329+
{
330+
snprintf(PQerrormsg,PQERRORMSG_LENGTH,
331+
"FATAL: no such group '%s'\n",
332+
Unix_socket_group);
333+
fputs(PQerrormsg,stderr);
334+
pqdebug("%s",PQerrormsg);
335+
returnSTATUS_ERROR;
336+
}
337+
gid=gr->gr_gid;
338+
}
339+
if (chown(sock_path,-1,gid)==-1)
340+
{
341+
snprintf(PQerrormsg,PQERRORMSG_LENGTH,
342+
"FATAL: could not set group of %s: %s\n",
343+
sock_path,strerror(errno));
344+
fputs(PQerrormsg,stderr);
345+
pqdebug("%s",PQerrormsg);
346+
returnSTATUS_ERROR;
347+
}
348+
}
349+
350+
if (chmod(sock_path,Unix_socket_permissions)==-1)
351+
{
352+
snprintf(PQerrormsg,PQERRORMSG_LENGTH,
353+
"FATAL: could not set permissions on %s: %s\n",
354+
sock_path,strerror(errno));
355+
fputs(PQerrormsg,stderr);
356+
pqdebug("%s",PQerrormsg);
357+
returnSTATUS_ERROR;
358+
}
359+
}
300360
returnSTATUS_OK;
301361
}
302362

‎src/backend/postmaster/postmaster.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
*
1212
*
1313
* IDENTIFICATION
14-
* $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.176 2000/10/28 18:27:55 momjian Exp $
14+
* $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.177 2000/11/01 21:14:02 petere Exp $
1515
*
1616
* NOTES
1717
*
@@ -588,7 +588,7 @@ PostmasterMain(int argc, char *argv[])
588588
{
589589
fprintf(stderr,"%s: cannot create INET stream port\n",
590590
progname);
591-
exit(1);
591+
ExitPostmaster(1);
592592
}
593593
}
594594

@@ -598,7 +598,7 @@ PostmasterMain(int argc, char *argv[])
598598
{
599599
fprintf(stderr,"%s: cannot create UNIX stream port\n",
600600
progname);
601-
exit(1);
601+
ExitPostmaster(1);
602602
}
603603
#endif
604604
/* set up shared memory and semaphores */

‎src/backend/utils/misc/guc.c

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
* Support for grand unified configuration scheme, including SET
55
* command, configuration file, and command line options.
66
*
7-
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.14 2000/10/11 17:58:01 momjian Exp $
7+
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.15 2000/11/01 21:14:03 petere Exp $
88
*
99
* Copyright 2000 by PostgreSQL Global Development Group
1010
* Written by Peter Eisentraut <peter_e@gmx.net>.
@@ -22,6 +22,7 @@
2222

2323
#include"commands/async.h"
2424
#include"libpq/auth.h"
25+
#include"libpq/pqcomm.h"
2526
#include"miscadmin.h"
2627
#include"optimizer/cost.h"
2728
#include"optimizer/geqo.h"
@@ -253,6 +254,9 @@ ConfigureNamesInt[] =
253254
{"max_expr_depth",PGC_USERSET,&max_expr_depth,
254255
DEFAULT_MAX_EXPR_DEPTH,10,INT_MAX},
255256

257+
{"unix_socket_permissions",PGC_POSTMASTER,&Unix_socket_permissions,
258+
0777,0000,0777},
259+
256260
{NULL,0,NULL,0,0,0}
257261
};
258262

@@ -281,9 +285,12 @@ ConfigureNamesReal[] =
281285
staticstructconfig_string
282286
ConfigureNamesString[]=
283287
{
284-
{"krb_server_keyfile",PGC_USERSET,&pg_krb_server_keyfile,
288+
{"krb_server_keyfile",PGC_POSTMASTER,&pg_krb_server_keyfile,
285289
PG_KRB_SRVTAB,NULL},
286290

291+
{"unix_socket_group",PGC_POSTMASTER,&Unix_socket_group,
292+
"",NULL},
293+
287294
{NULL,0,NULL,NULL,NULL}
288295
};
289296

‎src/include/libpq/pqcomm.h

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
* Portions Copyright (c) 1996-2000, PostgreSQL, Inc
1010
* Portions Copyright (c) 1994, Regents of the University of California
1111
*
12-
* $Id: pqcomm.h,v 1.42 2000/09/27 15:17:56 petere Exp $
12+
* $Id: pqcomm.h,v 1.43 2000/11/01 21:14:03 petere Exp $
1313
*
1414
*-------------------------------------------------------------------------
1515
*/
@@ -169,4 +169,12 @@ typedef struct CancelRequestPacket
169169
*/
170170
#defineNEGOTIATE_SSL_CODE PG_PROTOCOL(1234,5679)
171171

172+
173+
/*
174+
* Configuration options
175+
*/
176+
externintUnix_socket_permissions;
177+
178+
externchar*Unix_socket_group;
179+
172180
#endif/* PQCOMM_H */

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp