]> granicus.if.org Git - postgresql/commit
projects / postgresql / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b2e15d3) | patch
Ensure that all temp files made during pg_upgrade are non-world-readable.
authorTom Lane <tgl@sss.pgh.pa.us>
Mon, 5 Feb 2018 15:58:27 +0000 (10:58 -0500)
committerTom Lane <tgl@sss.pgh.pa.us>
Mon, 5 Feb 2018 15:58:27 +0000 (10:58 -0500)
commit1341e017dffee00fb245081ec5a11d3b93d9aafb
tree3261158156ca5fec9fe0ec34395e96b5c9f2dc6ctree | snapshot
parentb2e15d39d74f226f25a9362f1a1834bf25f47288commit | diff
Ensure that all temp files made during pg_upgrade are non-world-readable.

pg_upgrade has always attempted to ensure that the transient dump files
it creates are inaccessible except to the owner.  However, refactoring
in commit 76a7650c4 broke that for the file containing "pg_dumpall -g"
output; since then, that file was protected according to the process's
default umask.  Since that file may contain role passwords (hopefully
encrypted, but passwords nonetheless), this is a particularly unfortunate
oversight.  Prudent users of pg_upgrade on multiuser systems would
probably run it under a umask tight enough that the issue is moot, but
perhaps some users are depending only on pg_upgrade's umask changes to
protect their data.

To fix this in a future-proof way, let's just tighten the umask at
process start.  There are no files pg_upgrade needs to write at a
weaker security level; and if there were, transiently relaxing the
umask around where they're created would be a safer approach.

Report and patch by Tom Lane; the idea for the fix is due to Noah Misch.
Back-patch to all supported branches.

Security: CVE-2018-1053
src/bin/pg_upgrade/dump.c diff | blob | history
src/bin/pg_upgrade/file.c diff | blob | history
src/bin/pg_upgrade/pg_upgrade.c diff | blob | history
src/bin/pg_upgrade/pg_upgrade.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.