Restrict file mode creation mask during tmpfile().

Per Coverity.  Back-patch to 9.0 (all supported versions).

Michael Paquier, reviewed (in earlier versions) by Heikki Linnakangas.

diff --git a/src/bin/pg_dump/pg_backup_tar.c b/src/bin/pg_dump/pg_backup_tar.c
index b060cf8d0b51a5da1b982a966baf5f5c1a57eea1..51adf7917e1f4654f4861a0c1b62ca131a23a3ea 100644 (file)
--- a/src/bin/pg_dump/pg_backup_tar.c
+++ b/src/bin/pg_dump/pg_backup_tar.c
@@ -375,8 +375,18 @@ tarOpen(ArchiveHandle *AH, const char *filename, char mode)
        }
        else
        {
+               int                     old_umask;
+
                tm = calloc(1, sizeof(TAR_MEMBER));
 
+               /*
+                * POSIX does not require, but permits, tmpfile() to restrict file
+                * permissions.  Given an OS crash after we write data, the filesystem
+                * might retain the data but forget tmpfile()'s unlink().  If so, the
+                * file mode protects confidentiality of the data written.
+                */
+               old_umask = umask(S_IRWXG | S_IRWXO);
+
 #ifndef WIN32
                tm->tmpFH = tmpfile();
 #else
@@ -411,6 +421,8 @@ tarOpen(ArchiveHandle *AH, const char *filename, char mode)
                if (tm->tmpFH == NULL)
                        die_horribly(AH, modulename, "could not generate temporary file name: %s\n", strerror(errno));
 
+               umask(old_umask);
+
 #ifdef HAVE_LIBZ
 
                if (AH->compression != 0)