Prevent pg_ctl from being run as root. Since it uses configuration files

owned by postgres, doing "pg_ctl start" as root could allow a privilege escalation attack, as pointed out by iDEFENSE. Of course the postmaster would fail, but we ought to fail a little sooner to protect sysadmins unfamiliar with Postgres. The chosen fix is to disable root use of pg_ctl in all cases, just to be confident there are no other holes.
2024-12-15 08:20:16 +08:00 · 2004-10-22 00:24:39 +00:00 · 2004-10-22 00:24:39 +00:00 · 6acddf56b4
commit 6acddf56b4
parent 02571d4e20
1 changed files with 9 additions and 1 deletions
--- a/src/bin/pg_ctl/pg_ctl.sh
+++ b/src/bin/pg_ctl/pg_ctl.sh
@ -8,7 +8,7 @@
 #
 #
 # IDENTIFICATION
-#    $Header: /cvsroot/pgsql/src/bin/pg_ctl/Attic/pg_ctl.sh,v 1.25 2001/09/29 03:09:32 momjian Exp $
+#    $Header: /cvsroot/pgsql/src/bin/pg_ctl/Attic/pg_ctl.sh,v 1.25.2.1 2004/10/22 00:24:39 tgl Exp $
 #
 #-------------------------------------------------------------------------

@ -109,6 +109,14 @@ fi

 po_path="$PGPATH/postmaster"

+if [ `$PGPATH/pg_id -u` -eq 0 ]
+then
+    echo "$CMDNAME: cannot be run as root" 1>&2
+    echo "Please log in (using, e.g., \"su\") as the (unprivileged) user that will" 1>&2
+    echo "own the server process." 1>&2
+    exit 1
+fi
+
 wait=
 wait_seconds=60
 logfile=