Prevent pg_ctl from being run as root. Since it uses configuration files

owned by postgres, doing "pg_ctl start" as root could allow a privilege escalation attack, as pointed out by iDEFENSE. Of course the postmaster would fail, but we ought to fail a little sooner to protect sysadmins unfamiliar with Postgres. The chosen fix is to disable root use of pg_ctl in all cases, just to be confident there are no other holes.
22 years ago · c58675b428
parent 9eff02f5ac
commit c58675b428
1 changed files with 20 additions and 2 deletions
--- a/src/bin/pg_ctl/pg_ctl.c
+++ b/src/bin/pg_ctl/pg_ctl.c
@ -4,7 +4,7 @@
 *
 * Portions Copyright (c) 1996-2004, PostgreSQL Global Development Group
 *
- * $PostgreSQL: pgsql/src/bin/pg_ctl/pg_ctl.c,v 1.41 2004/10/19 13:38:53 petere Exp $
+ * $PostgreSQL: pgsql/src/bin/pg_ctl/pg_ctl.c,v 1.42 2004/10/22 00:24:18 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -14,9 +14,9 @@

 #include <locale.h>
 #include <signal.h>
-#include <errno.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <unistd.h>

 #include "libpq/pqsignal.h"
 #include "getopt_long.h"
@ -1229,6 +1229,7 @@ main(int argc, char **argv)

 	umask(077);

+	/* support --help and --version even if invoked as root */
 	if (argc > 1)
 	{
 		if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 ||
@ -1244,6 +1245,23 @@ main(int argc, char **argv)
 		}
 	}

+	/*
+	 * Disallow running as root, to forestall any possible security holes.
+	 */
+#ifndef WIN32
+#ifndef __BEOS__				/* no root check on BEOS */
+	if (geteuid() == 0)
+	{
+		write_stderr(_("%s: cannot be run as root\n"
+					   "Please log in (using, e.g., \"su\") as the "
+					   "(unprivileged) user that will\n"
+					   "own the server process.\n"),
+					 progname);
+		exit(1);
+	}
+#endif
+#endif
+
 	/*
 	 * 'Action' can be before or after args so loop over both. Some
 	 * getopt_long() implementations will reorder argv[] to place all