Remove useless setuid() call, instead add a check that real and effective

tglsfdc · tglsfdc · commit 8407bb3c724f · 2001-04-21T18:29:29.000Z
userids are the same.  Per today's pghackers discussion.
diff --git a/src/backend/main/main.c b/src/backend/main/main.c
@@ -13,7 +13,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/main/main.c,v 1.42 2001/03/22 03:59:30 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/main/main.c,v 1.43 2001/04/21 18:29:29 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -103,22 +103,46 @@ main(int argc, char *argv[])
 	 */
 
 	/*
-	 * Make sure we are not running as root.
-	 *
-	 * BeOS currently runs everything as root :-(, so this check must be
-	 * temporarily disabled there...
+	 * Skip permission checks if we're just trying to do --help or --version;
+	 * otherwise root will get unhelpful failure messages from initdb.
 	 */
-#ifndef __BEOS__
 	if (!(argc > 1
-		  && (strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0
-	 || strcmp(argv[1], "--version") == 0 || strcmp(argv[1], "-V") == 0))
-		&& (geteuid() == 0))
+		  && (strcmp(argv[1], "--help") == 0 ||
+			  strcmp(argv[1], "-?") == 0 ||
+			  strcmp(argv[1], "--version") == 0 ||
+			  strcmp(argv[1], "-V") == 0)))
 	{
-		fprintf(stderr, "%s", NOROOTEXEC);
-		exit(1);
-	}
+		/*
+		 * Make sure we are not running as root.
+		 *
+		 * BeOS currently runs everything as root :-(, so this check must be
+		 * temporarily disabled there...
+		 */
+#ifndef __BEOS__
+		if (geteuid() == 0)
+		{
+			fprintf(stderr, "%s", NOROOTEXEC);
+			exit(1);
+		}
 #endif	 /* __BEOS__ */
 
+		/*
+		 * Also make sure that real and effective uids are the same.
+		 * Executing Postgres as a setuid program from a root shell is a
+		 * security hole, since on many platforms a nefarious subroutine could
+		 * setuid back to root if real uid is root.  (Since nobody actually
+		 * uses Postgres as a setuid program, trying to actively fix this
+		 * situation seems more trouble than it's worth; we'll just expend the
+		 * effort to check for it.)
+		 */
+		if (getuid() != geteuid())
+		{
+			fprintf(stderr, "%s: real and effective userids must match\n",
+					argv[0]);
+			exit(1);
+		}
+	}
+
 	/*
 	 * Set up locale information from environment, in only the categories
 	 * needed by Postgres; leave other categories set to default "C".
@@ -162,7 +186,8 @@ main(int argc, char *argv[])
 	pw = getpwuid(geteuid());
 	if (pw == NULL)
 	{
-		fprintf(stderr, "%s: invalid current euid", argv[0]);
+		fprintf(stderr, "%s: invalid current euid %d\n",
+				argv[0], (int) geteuid());
 		exit(1);
 	}
 	/* Allocate new memory because later getpwuid() calls can overwrite it */
diff --git a/src/backend/utils/init/findbe.c b/src/backend/utils/init/findbe.c
@@ -7,7 +7,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/utils/init/Attic/findbe.c,v 1.20 2001/01/24 19:43:15 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/utils/init/Attic/findbe.c,v 1.21 2001/04/21 18:29:29 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -93,9 +93,6 @@ ValidateBinary(char *path)
 	/*
 	 * Ensure that the file is both executable and readable (required for
 	 * dynamic loading).
-	 *
-	 * We use the effective uid here because the backend will not have
-	 * executed setuid() by the time it calls this routine.
 	 */
 	euid = geteuid();
 	if (euid == buf.st_uid)
diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/utils/init/postinit.c,v 1.83 2001/03/22 06:16:18 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/utils/init/postinit.c,v 1.84 2001/04/21 18:29:29 tgl Exp $
  *
  *
  *-------------------------------------------------------------------------
@@ -335,16 +335,14 @@ InitPostgres(const char *dbname, const char *username)
 		LockDisable(true);
 
 	/*
-	 * Set ourselves to the proper user id and figure out our postgres
-	 * user id.
+	 * Figure out our postgres user id.  If bootstrapping, we can't
+	 * assume that pg_shadow exists yet, so fake it.
 	 */
 	if (bootstrap)
 		SetSessionUserId(geteuid());
 	else
 		SetSessionUserIdFromUserName(username);
 
-	setuid(geteuid());
-
 	/*
 	 * Unless we are bootstrapping, double-check that InitMyDatabaseInfo()
 	 * got a correct result.  We can't do this until all the

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`	`*`
`8`	`8`	`*`
`9`	`9`	`* IDENTIFICATION`
`10`		`- * $Header: /cvsroot/pgsql/src/backend/utils/init/Attic/findbe.c,v 1.20 2001/01/24 19:43:15 momjian Exp $`
	`10`	`+ * $Header: /cvsroot/pgsql/src/backend/utils/init/Attic/findbe.c,v 1.21 2001/04/21 18:29:29 tgl Exp $`
`11`	`11`	`*`
`12`	`12`	`*-------------------------------------------------------------------------`
`13`	`13`	`*/`
`@@ -93,9 +93,6 @@ ValidateBinary(char *path)`
`93`	`93`	`/*`
`94`	`94`	`* Ensure that the file is both executable and readable (required for`
`95`	`95`	`* dynamic loading).`
`96`		`- *`
`97`		`- * We use the effective uid here because the backend will not have`
`98`		`- * executed setuid() by the time it calls this routine.`
`99`	`96`	`*/`
`100`	`97`	`euid = geteuid();`
`101`	`98`	`if (euid == buf.st_uid)`