Skip site navigation (1) Skip section navigation (2)

Re: BUG #5275: validate_exec in port/exec.c only reads u/g/o, not ACLs

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: James Bellinger <jfb(at)zer7(dot)com>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #5275: validate_exec in port/exec.c only reads u/g/o, not ACLs
Date: 2010-01-14 04:26:53
Message-ID: 201001140426.o0E4Qri03683@momjian.us (view raw or flat)
Thread:
Lists: pgsql-bugs
Tom Lane wrote:
> "James Bellinger" <jfb(at)zer7(dot)com> writes:
> > I'm not certain of the actual *purpose* for this function even checking in
> > the first place, but the result is that, if Postgres gets its access via an
> > ACL, it will say 'invalid binary' here and there, will not be able to find
> > its own executables, etc. I can see no purpose for this function.
> 
> Hmm.  I wonder why we have all that complexity at all, rather than using
> access(2).  The man page says it checks against real not effective uid,
> but since we don't run setuid I think there's no difference.
> 
> [ pokes in CVS history ... ]  Oh, this is interesting: this code looks
> like this clear back to the original Berkeley import, and back then it
> had this comment:
> 
> 	* We use the effective uid here because the backend will not have
> 	* executed setuid() by the time it calls this routine.
> 
> So once upon a time there was a reason to try to implement access()
> for ourselves, but it's long gone.  Comments?

I am not sure of its purpose either.  I remember having to call it in
the old postmaster code before /port was added, but again, I am not sure
why we didn't use access().

I think access's reputation as something to avoid caused us not to look
at it.  My old BSD manual says about access():

CAVEAT
     The access() function should be used rarely, if ever.  Specifically,
     access() should never be used by any program whose user real and effec-
     tive IDs, or group real and effective IDs, differ.  At best, using
     access() in this situation can produce a misleading result, because the
     system call permission checks are based on effective IDs.  Thus, access()
     might return that the file is accessible, when the corresponding open(2)
     or exec(2) call would fail, or vice-versa.  In addition, the permissions
     on the file, or the path leading to the file, may change between the time
     access() makes its test and the eventual system call.  This timing race
     applies to all uses of access(), so it is better to attempt the operation
     itself to see if it will succeed.  (Processes designed to run setuid or
     setgid should call seteuid(2) or setegid(2) as needed to suspend their
     special privileges.)

-- 
  Bruce Momjian  <bruce(at)momjian(dot)us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

In response to

Responses

pgsql-bugs by date

Next:From: Tom LaneDate: 2010-01-14 04:35:27
Subject: Re: BUG #5275: validate_exec in port/exec.c only reads u/g/o, not ACLs
Previous:From: Justin PittsDate: 2010-01-14 03:22:30
Subject: Re: BUG #5269: postgres backend terminates with SIGSEGV

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group