Remove useless setuid() call, instead add a check that real and effective

userids are the same.  Per today's pghackers discussion.

diff --git a/src/backend/main/main.c b/src/backend/main/main.c
index 46e03d8..0951649 100644 (file)
--- a/src/backend/main/main.c
+++ b/src/backend/main/main.c
@@ -13,7 +13,7 @@
  *
  *
  * IDENTIFICATION
- *       $Header: /cvsroot/pgsql/src/backend/main/main.c,v 1.42 2001/03/22 03:59:30 momjian Exp $
+ *       $Header: /cvsroot/pgsql/src/backend/main/main.c,v 1.43 2001/04/21 18:29:29 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -103,22 +103,46 @@ main(int argc, char *argv[])
         */
 
        /*
-        * Make sure we are not running as root.
-        *
-        * BeOS currently runs everything as root :-(, so this check must be
-        * temporarily disabled there...
+        * Skip permission checks if we're just trying to do --help or --version;
+        * otherwise root will get unhelpful failure messages from initdb.
         */
-#ifndef __BEOS__
        if (!(argc > 1
-                 && (strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0
-        || strcmp(argv[1], "--version") == 0 || strcmp(argv[1], "-V") == 0))
-               && (geteuid() == 0))
+                 && (strcmp(argv[1], "--help") == 0 ||
+                         strcmp(argv[1], "-?") == 0 ||
+                         strcmp(argv[1], "--version") == 0 ||
+                         strcmp(argv[1], "-V") == 0)))
        {
-               fprintf(stderr, "%s", NOROOTEXEC);
-               exit(1);
-       }
+               /*
+                * Make sure we are not running as root.
+                *
+                * BeOS currently runs everything as root :-(, so this check must be
+                * temporarily disabled there...
+                */
+#ifndef __BEOS__
+               if (geteuid() == 0)
+               {
+                       fprintf(stderr, "%s", NOROOTEXEC);
+                       exit(1);
+               }
 #endif  /* __BEOS__ */
 
+               /*
+                * Also make sure that real and effective uids are the same.
+                * Executing Postgres as a setuid program from a root shell is a
+                * security hole, since on many platforms a nefarious subroutine could
+                * setuid back to root if real uid is root.  (Since nobody actually
+                * uses Postgres as a setuid program, trying to actively fix this
+                * situation seems more trouble than it's worth; we'll just expend the
+                * effort to check for it.)
+                */
+               if (getuid() != geteuid())
+               {
+                       fprintf(stderr, "%s: real and effective userids must match\n",
+                                       argv[0]);
+                       exit(1);
+               }
+       }
+
        /*
         * Set up locale information from environment, in only the categories
         * needed by Postgres; leave other categories set to default "C".
@@ -162,7 +186,8 @@ main(int argc, char *argv[])
        pw = getpwuid(geteuid());
        if (pw == NULL)
        {
-               fprintf(stderr, "%s: invalid current euid", argv[0]);
+               fprintf(stderr, "%s: invalid current euid %d\n",
+                               argv[0], (int) geteuid());
                exit(1);
        }
        /* Allocate new memory because later getpwuid() calls can overwrite it */

diff --git a/src/backend/utils/init/findbe.c b/src/backend/utils/init/findbe.c
index d59b3bf..507e3db 100644 (file)
--- a/src/backend/utils/init/findbe.c
+++ b/src/backend/utils/init/findbe.c
@@ -7,7 +7,7 @@
  *
  *
  * IDENTIFICATION
- *       $Header: /cvsroot/pgsql/src/backend/utils/init/Attic/findbe.c,v 1.20 2001/01/24 19:43:15 momjian Exp $
+ *       $Header: /cvsroot/pgsql/src/backend/utils/init/Attic/findbe.c,v 1.21 2001/04/21 18:29:29 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -93,9 +93,6 @@ ValidateBinary(char *path)
        /*
         * Ensure that the file is both executable and readable (required for
         * dynamic loading).
-        *
-        * We use the effective uid here because the backend will not have
-        * executed setuid() by the time it calls this routine.
         */
        euid = geteuid();
        if (euid == buf.st_uid)

diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c
index 57a5dbe..f877564 100644 (file)
--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *       $Header: /cvsroot/pgsql/src/backend/utils/init/postinit.c,v 1.83 2001/03/22 06:16:18 momjian Exp $
+ *       $Header: /cvsroot/pgsql/src/backend/utils/init/postinit.c,v 1.84 2001/04/21 18:29:29 tgl Exp $
  *
  *
  *-------------------------------------------------------------------------
@@ -335,16 +335,14 @@ InitPostgres(const char *dbname, const char *username)
                LockDisable(true);
 
        /*
-        * Set ourselves to the proper user id and figure out our postgres
-        * user id.
+        * Figure out our postgres user id.  If bootstrapping, we can't
+        * assume that pg_shadow exists yet, so fake it.
         */
        if (bootstrap)
                SetSessionUserId(geteuid());
        else
                SetSessionUserIdFromUserName(username);
 
-       setuid(geteuid());
-
        /*
         * Unless we are bootstrapping, double-check that InitMyDatabaseInfo()
         * got a correct result.  We can't do this until all the