Prevent pg_ctl from being run as root. Since it uses configuration files

owned by postgres, doing "pg_ctl start" as root could allow a privilege
escalation attack, as pointed out by iDEFENSE.  Of course the postmaster would
fail, but we ought to fail a little sooner to protect sysadmins unfamiliar
with Postgres.  The chosen fix is to disable root use of pg_ctl in all cases,
just to be confident there are no other holes.

diff --git a/src/bin/pg_ctl/pg_ctl.c b/src/bin/pg_ctl/pg_ctl.c
index 4f1c47af86c9223a4e95aac9abafc7934ccb09b3..054e8d78227d116020b257ac50b31413d678d9b6 100644 (file)
--- a/src/bin/pg_ctl/pg_ctl.c
+++ b/src/bin/pg_ctl/pg_ctl.c
@@ -4,7 +4,7 @@
  *
  * Portions Copyright (c) 1996-2004, PostgreSQL Global Development Group
  *
- * $PostgreSQL: pgsql/src/bin/pg_ctl/pg_ctl.c,v 1.41 2004/10/19 13:38:53 petere Exp $
+ * $PostgreSQL: pgsql/src/bin/pg_ctl/pg_ctl.c,v 1.42 2004/10/22 00:24:18 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -14,9 +14,9 @@
 
 #include <locale.h>
 #include <signal.h>
-#include <errno.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <unistd.h>
 
 #include "libpq/pqsignal.h"
 #include "getopt_long.h"
@@ -1229,6 +1229,7 @@ main(int argc, char **argv)
 
        umask(077);
 
+       /* support --help and --version even if invoked as root */
        if (argc > 1)
        {
                if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 ||
@@ -1244,6 +1245,23 @@ main(int argc, char **argv)
                }
        }
 
+       /*
+        * Disallow running as root, to forestall any possible security holes.
+        */
+#ifndef WIN32
+#ifndef __BEOS__                               /* no root check on BEOS */
+       if (geteuid() == 0)
+       {
+               write_stderr(_("%s: cannot be run as root\n"
+                                          "Please log in (using, e.g., \"su\") as the "
+                                          "(unprivileged) user that will\n"
+                                          "own the server process.\n"),
+                                        progname);
+               exit(1);
+       }
+#endif
+#endif
+
        /*
         * 'Action' can be before or after args so loop over both. Some
         * getopt_long() implementations will reorder argv[] to place all