| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Postgres hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Fix pg_rewind which can be run as root user |
| Date: | 2018-04-09 19:23:35 |
| Message-ID: | CABUevEx3hNEbBQ4dqsvA7u_t2A9oTfXH523ePWog05axZRZKCQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Apr 9, 2018 at 7:11 AM, Michael Paquier <michael(at)paquier(dot)xyz> wrote:
> Hi all,
>
> I was just going through pg_rewind's code, and noticed the following
> pearl:
> /*
> * Don't allow pg_rewind to be run as root, to avoid overwriting the
> * ownership of files in the data directory. We need only check for
> root
> * -- any other user won't have sufficient permissions to modify files
> in
> * the data directory.
> */
> #ifndef WIN32
> if (geteuid() == 0)
> {
> fprintf(stderr, _("cannot be executed by \"root\"\n"));
> fprintf(stderr, _("You must run %s as the PostgreSQL
> superuser.\n"),
> progname);
> }
> #endif
>
> While that's nice to inform the user about the problem, that actually
> does not prevent pg_rewind to run as root. Attached is a patch, which
> needs a back-patch down to 9.5.
>
Seems simple enough and the right hting to do, but I wonder if we should
really backpatch it. Yes, the behaviour is not great now, but there is also
a non-zero risk of breaking peoples automated failover scripts of we
backpatch it, isn't it?
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Geoghegan | 2018-04-09 19:25:33 | Re: PostgreSQL's handling of fsync() errors is unsafe and risks data loss at least on XFS |
| Previous Message | Tomas Vondra | 2018-04-09 19:22:58 | Re: PostgreSQL's handling of fsync() errors is unsafe and risks data loss at least on XFS |