Change backend-side COPY to write files with permissions 644 not 666

(whoever thought world-writable files were a good default????). Modify the pg_pwd code so that pg_pwd is created with 600 permissions. Modify initdb so that permissions on a pre-existing PGDATA directory are not blindly accepted: if the dir is already there, it does chmod go-rwx to be sure that the permissions are OK and the dir actually is owned by postgres.
2025-10-27 00:12:01 +03:00 · 1999-11-21 04:16:17 +00:00
parent 76ccf73f2b
commit d8ba3dfb0b
5 changed files with 49 additions and 23 deletions
--- a/src/backend/commands/copy.c
+++ b/src/backend/commands/copy.c
@@ -6,7 +6,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/copy.c,v 1.89 1999/09/27 20:00:44 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/copy.c,v 1.90 1999/11/21 04:16:17 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -214,12 +214,12 @@ CopyDonePeek(FILE *fp, int c, int pickup)


 /*
- *	 DoCopy executes a the SQL COPY statement.
+ *	 DoCopy executes the SQL COPY statement.
 */

 void
 DoCopy(char *relname, bool binary, bool oids, bool from, bool pipe,
-	   char *filename, char *delim)
+	   char *filename, char *delim, int fileumask)
 {
 /*----------------------------------------------------------------------------
  Either unload or reload contents of class <relname>, depending on <from>.
@@ -234,6 +234,11 @@ DoCopy(char *relname, bool binary, bool oids, bool from, bool pipe,

  If in the text format, delimit columns with delimiter <delim>.

+  <fileumask> is the umask(2) setting to use while creating an output file.
+  This should usually be more liberal than the backend's normal 077 umask,
+  but not always (in particular, "pg_pwd" should be written with 077!).
+  Up through version 6.5, <fileumask> was always 000, which was foolhardy.
+
  When loading in the text format from an input stream (as opposed to
  a file), recognize a "." on a line by itself as EOF.	Also recognize
  a stream EOF.  When unloading in the text format to an output stream,
@@ -316,7 +321,7 @@ DoCopy(char *relname, bool binary, bool oids, bool from, bool pipe,
 			{
 				mode_t		oumask;		/* Pre-existing umask value */

-				oumask = umask((mode_t) 0);
+				oumask = umask((mode_t) fileumask);
 #ifndef __CYGWIN32__
 				fp = AllocateFile(filename, "w");
 #else
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -5,7 +5,7 @@
 *
 * Copyright (c) 1994, Regents of the University of California
 *
- * $Id: user.c,v 1.35 1999/09/27 16:44:50 momjian Exp $
+ * $Id: user.c,v 1.36 1999/11/21 04:16:16 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -20,6 +20,7 @@
 #include "catalog/catname.h"
 #include "catalog/pg_database.h"
 #include "catalog/pg_shadow.h"
+#include "commands/copy.h"
 #include "commands/user.h"
 #include "libpq/crypt.h"
 #include "miscadmin.h"
@@ -43,7 +44,7 @@ static void CheckPgUserAclNotNull(void);
 *---------------------------------------------------------------------
 */
 static void
-UpdatePgPwdFile(char *sql, CommandDest dest)
+UpdatePgPwdFile(void)
 {
 	char	   *filename,
 			   *tempname;
@@ -60,16 +61,22 @@ UpdatePgPwdFile(char *sql, CommandDest dest)
 	snprintf(tempname, bufsize, "%s.%d", filename, MyProcPid);

 	/*
-	 * Copy the contents of pg_shadow to the pg_pwd ASCII file using a the
-	 * SEPCHAR character as the delimiter between fields.  Then rename the
-	 * file to its final name.
+	 * Copy the contents of pg_shadow to the pg_pwd ASCII file using the
+	 * SEPCHAR character as the delimiter between fields.  Make sure the
+	 * file is created with mode 600 (umask 077).
+	 */
+	DoCopy(ShadowRelationName,	/* relname */
+		   false,				/* binary */
+		   false,				/* oids */
+		   false,				/* from */
+		   false,				/* pipe */
+		   tempname,			/* filename */
+		   CRYPT_PWD_FILE_SEPCHAR, /* delim */
+		   0077);				/* fileumask */
+	/*
+	 * And rename the temp file to its final name, deleting the old pg_pwd.
 	 */
-	snprintf(sql, SQL_LENGTH,
-			 "copy %s to '%s' using delimiters %s",
-			 ShadowRelationName, tempname, CRYPT_PWD_FILE_SEPCHAR);
-	pg_exec_query_dest(sql, dest, false);
 	rename(tempname, filename);
-	pfree((void *) tempname);

 	/*
 	 * Create a flag file the postmaster will detect the next time it
@@ -78,6 +85,8 @@ UpdatePgPwdFile(char *sql, CommandDest dest)
 	 */
 	filename = crypt_getpwdreloadfilename();
 	creat(filename, S_IRUSR | S_IWUSR);
+
+	pfree((void *) tempname);
 }

 /*---------------------------------------------------------------------
@@ -203,7 +212,7 @@ DefineUser(CreateUserStmt *stmt, CommandDest dest)
 	 * we can be sure no other backend will try to write the flat
 	 * file at the same time.
 	 */
-	UpdatePgPwdFile(sql, dest);
+	UpdatePgPwdFile();

 	/*
 	 * Now we can clean up.
@@ -313,7 +322,7 @@ AlterUser(AlterUserStmt *stmt, CommandDest dest)
 	 * we can be sure no other backend will try to write the flat
 	 * file at the same time.
 	 */
-	UpdatePgPwdFile(sql, dest);
+	UpdatePgPwdFile();

 	/*
 	 * Now we can clean up.
@@ -446,7 +455,7 @@ RemoveUser(char *user, CommandDest dest)
 	 * we can be sure no other backend will try to write the flat
 	 * file at the same time.
 	 */
-	UpdatePgPwdFile(sql, dest);
+	UpdatePgPwdFile();

 	/*
 	 * Now we can clean up.