projects / postgresql.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9eff02f)
Prevent pg_ctl from being run as root. Since it uses configuration files
authorTom Lane
Fri, 22 Oct 2004 00:24:18 +0000 (00:24 +0000)
committerTom Lane
Fri, 22 Oct 2004 00:24:18 +0000 (00:24 +0000)
owned by postgres, doing "pg_ctl start" as root could allow a privilege
escalation attack, as pointed out by iDEFENSE.  Of course the postmaster would
fail, but we ought to fail a little sooner to protect sysadmins unfamiliar
with Postgres.  The chosen fix is to disable root use of pg_ctl in all cases,
just to be confident there are no other holes.

src/bin/pg_ctl/pg_ctl.c patch | blob | blame | history

diff --git a/src/bin/pg_ctl/pg_ctl.c b/src/bin/pg_ctl/pg_ctl.c
index 4f1c47af86c9223a4e95aac9abafc7934ccb09b3..054e8d78227d116020b257ac50b31413d678d9b6 100644 (file)
--- a/src/bin/pg_ctl/pg_ctl.c
+++ b/src/bin/pg_ctl/pg_ctl.c
@@ -4,7 +4,7 @@
  *
  * Portions Copyright (c) 1996-2004, PostgreSQL Global Development Group
  *
- * $PostgreSQL: pgsql/src/bin/pg_ctl/pg_ctl.c,v 1.41 2004/10/19 13:38:53 petere Exp $
+ * $PostgreSQL: pgsql/src/bin/pg_ctl/pg_ctl.c,v 1.42 2004/10/22 00:24:18 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -14,9 +14,9 @@
 
 #include 
 #include 
-#include 
 #include 
 #include 
+#include 
 
 #include "libpq/pqsignal.h"
 #include "getopt_long.h"
@@ -1229,6 +1229,7 @@ main(int argc, char **argv)
 
    umask(077);
 
+   /* support --help and --version even if invoked as root */
    if (argc > 1)
    {
        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 ||
@@ -1244,6 +1245,23 @@ main(int argc, char **argv)
        }
    }
 
+   /*
+    * Disallow running as root, to forestall any possible security holes.
+    */
+#ifndef WIN32
+#ifndef __BEOS__               /* no root check on BEOS */
+   if (geteuid() == 0)
+   {
+       write_stderr(_("%s: cannot be run as root\n"
+                      "Please log in (using, e.g., \"su\") as the "
+                      "(unprivileged) user that will\n"
+                      "own the server process.\n"),
+                    progname);
+       exit(1);
+   }
+#endif
+#endif
+
    /*
     * 'Action' can be before or after args so loop over both. Some
     * getopt_long() implementations will reorder argv[] to place all
This is the main PostgreSQL git repository.