Change backend-side COPY to write files with permissions 644 not 666

(whoever thought world-writable files were a good default????). Modify the pg_pwd code so that pg_pwd is created with 600 permissions. Modify initdb so that permissions on a pre-existing PGDATA directory are not blindly accepted: if the dir is already there, it does chmod go-rwx to be sure that the permissions are OK and the dir actually is owned by postgres.
2025-07-07 00:36:50 +03:00 · 1999-11-21 04:16:17 +00:00
parent 76ccf73f2b
commit d8ba3dfb0b
5 changed files with 49 additions and 23 deletions
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@ -5,7 +5,7 @@
 *
 * Copyright (c) 1994, Regents of the University of California
 *
- * $Id: user.c,v 1.35 1999/09/27 16:44:50 momjian Exp $
+ * $Id: user.c,v 1.36 1999/11/21 04:16:16 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -20,6 +20,7 @@
 #include "catalog/catname.h"
 #include "catalog/pg_database.h"
 #include "catalog/pg_shadow.h"
+#include "commands/copy.h"
 #include "commands/user.h"
 #include "libpq/crypt.h"
 #include "miscadmin.h"
@ -43,7 +44,7 @@ static void CheckPgUserAclNotNull(void);
 *---------------------------------------------------------------------
 */
 static void
-UpdatePgPwdFile(char *sql, CommandDest dest)
+UpdatePgPwdFile(void)
 {
 	char	   *filename,
 			   *tempname;
@ -60,16 +61,22 @@ UpdatePgPwdFile(char *sql, CommandDest dest)
 	snprintf(tempname, bufsize, "%s.%d", filename, MyProcPid);

 	/*
-	 * Copy the contents of pg_shadow to the pg_pwd ASCII file using a the
-	 * SEPCHAR character as the delimiter between fields.  Then rename the
-	 * file to its final name.
+	 * Copy the contents of pg_shadow to the pg_pwd ASCII file using the
+	 * SEPCHAR character as the delimiter between fields.  Make sure the
+	 * file is created with mode 600 (umask 077).
+	 */
+	DoCopy(ShadowRelationName,	/* relname */
+		   false,				/* binary */
+		   false,				/* oids */
+		   false,				/* from */
+		   false,				/* pipe */
+		   tempname,			/* filename */
+		   CRYPT_PWD_FILE_SEPCHAR, /* delim */
+		   0077);				/* fileumask */
+	/*
+	 * And rename the temp file to its final name, deleting the old pg_pwd.
 	 */
-	snprintf(sql, SQL_LENGTH,
-			 "copy %s to '%s' using delimiters %s",
-			 ShadowRelationName, tempname, CRYPT_PWD_FILE_SEPCHAR);
-	pg_exec_query_dest(sql, dest, false);
 	rename(tempname, filename);
-	pfree((void *) tempname);

 	/*
 	 * Create a flag file the postmaster will detect the next time it
@ -78,6 +85,8 @@ UpdatePgPwdFile(char *sql, CommandDest dest)
 	 */
 	filename = crypt_getpwdreloadfilename();
 	creat(filename, S_IRUSR | S_IWUSR);
+
+	pfree((void *) tempname);
 }

 /*---------------------------------------------------------------------
@ -203,7 +212,7 @@ DefineUser(CreateUserStmt *stmt, CommandDest dest)
 	 * we can be sure no other backend will try to write the flat
 	 * file at the same time.
 	 */
-	UpdatePgPwdFile(sql, dest);
+	UpdatePgPwdFile();

 	/*
 	 * Now we can clean up.
@ -313,7 +322,7 @@ AlterUser(AlterUserStmt *stmt, CommandDest dest)
 	 * we can be sure no other backend will try to write the flat
 	 * file at the same time.
 	 */
-	UpdatePgPwdFile(sql, dest);
+	UpdatePgPwdFile();

 	/*
 	 * Now we can clean up.
@ -446,7 +455,7 @@ RemoveUser(char *user, CommandDest dest)
 	 * we can be sure no other backend will try to write the flat
 	 * file at the same time.
 	 */
-	UpdatePgPwdFile(sql, dest);
+	UpdatePgPwdFile();

 	/*
 	 * Now we can clean up.