opensourcemirror
/
postgresql
mirror of git://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Allow group access on PGDATA 

Allow the cluster to be optionally init'd with read access for the
group.

This means a relatively non-privileged user can perform a backup of the
cluster without requiring write privileges, which enhances security.

The mode of PGDATA is used to determine whether group permissions are
enabled for directory and file creates.  This method was chosen as it's
simple and works well for the various utilities that write into PGDATA.

Changing the mode of PGDATA manually will not automatically change the
mode of all the files contained therein.  If the user would like to
enable group access on an existing cluster then changing the mode of all
the existing files will be required.  Note that pg_upgrade will
automatically change the mode of all migrated files if the new cluster
is init'd with the -g option.

Tests are included for the backend and all the utilities which operate
on the PG data directory to ensure that the correct mode is set based on
the data directory permissions.

Author: David Steele <david@pgmasters.net>
Reviewed-By: Michael Paquier, with discussion amongst many others.
Discussion: https://postgr.es/m/ad346fe6-b23e-59f1-ecb7-0e08390ad629%40pgmasters.net
This commit is contained in:
Stephen Frost 2018-04-07 17:45:39 -04:00
parent da9b580d89
commit c37b3d08ca
32 changed files with 661 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
doc/src/sgml/config.sgml
View File

@ -8144,6 +8144,23 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir'
</listitem>
</varlistentry>
<varlistentry id="guc-data-directory-mode" xreflabel="data_directory_mode">
<term><varname>data_directory_mode</varname> (<type>integer</type>)
<indexterm>
<primary><varname>data_directory_mode</varname> configuration parameter</primary>
</indexterm>
</term>
<listitem>
<para>
On Unix systems this parameter reports the permissions of the data
directory defined by (<xref linkend="guc-data-directory"/>) at startup.
(On Microsoft Windows this parameter will always display
<literal>0700</literal>). See
<xref linkend="app-initdb-allow-group-access"/> for more information.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-debug-assertions" xreflabel="debug_assertions">
<term><varname>debug_assertions</varname> (<type>boolean</type>)
<indexterm>

19
doc/src/sgml/ref/initdb.sgml
View File

@ -76,6 +76,14 @@ PostgreSQL documentation
to do so.)
</para>
<para>
For security reasons the new cluster created by <command>initdb</command>
will only be accessible by the cluster owner by default. The
<option>--allow-group-access</option> option allows any user in the same
group as the cluster owner to read files in the cluster. This is useful
for performing backups as a non-privileged user.
</para>
<para>
<command>initdb</command> initializes the database cluster's default
locale and character set encoding. The character set encoding,
@ -188,6 +196,17 @@ PostgreSQL documentation
</listitem>
</varlistentry>
<varlistentry id="app-initdb-allow-group-access" xreflabel="group access">
<term><option>-g</option></term>
<term><option>--allow-group-access</option></term>
<listitem>
<para>
Allows users in the same group as the cluster owner to read all cluster
files created by <command>initdb</command>.
</para>
</listitem>
</varlistentry>
<varlistentry id="app-initdb-data-checksums" xreflabel="data checksums">
<term><option>-k</option></term>
<term><option>--data-checksums</option></term>

6
doc/src/sgml/ref/pg_basebackup.sgml
View File

@ -737,6 +737,12 @@ PostgreSQL documentation
or later.
</para>
<para>
<application>pg_basebackup</application> will preserve group permissions in
both the <literal>plain</literal> and <literal>tar</literal> formats if group
permissions are enabled on the source cluster.
</para>
</refsect1>
<refsect1>

6
doc/src/sgml/ref/pg_receivewal.sgml
View File

@ -425,6 +425,12 @@ PostgreSQL documentation
not keep up with fetching the WAL data.
</para>
<para>
<application>pg_receivewal</application> will preserve group permissions on
the received WAL files if group permissions are enabled on the source
cluster.
</para>
</refsect1>
<refsect1>

11
doc/src/sgml/ref/pg_recvlogical.sgml
View File

@ -399,6 +399,17 @@ PostgreSQL documentation
</para>
</refsect1>
<refsect1>
<title>Notes</title>
<para>
<application>pg_recvlogical</application> will preserve group permissions on
the received WAL files if group permissions are enabled on the source
cluster.
</para>
</refsect1>
<refsect1>
<title>Examples</title>

26
doc/src/sgml/runtime.sgml
View File

@ -137,7 +137,22 @@ postgres$ <userinput>initdb -D /usr/local/pgsql/data</userinput>
database, it is essential that it be secured from unauthorized
access. <command>initdb</command> therefore revokes access
permissions from everyone but the
<productname>PostgreSQL</productname> user.
<productname>PostgreSQL</productname> user, and optionally, group.
Group access, when enabled, is read-only. This allows an unprivileged
user in the same group as the cluster owner to take a backup of the
cluster data or perform other operations that only require read access.
</para>
<para>
Note that enabling or disabling group access on an existing cluster requires
the cluster to be shut down and the appropriate mode to be set on all
directories and files before restarting
<productname>PostgreSQL</productname>. Otherwise, a mix of modes might
exist in the data directory. For clusters that allow access only by the
owner, the appropriate modes are <literal>0700</literal> for directories
and <literal>0600</literal> for files. For clusters that also allow
reads by the group, the appropriate modes are <literal>0750</literal>
for directories and <literal>0640</literal> for files.
</para>
<para>
@ -2194,6 +2209,15 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
member of the group that has access to those certificate and key files.
</para>
<para>
If the data directory allows group read access then certificate files may
need to be located outside of the data directory in order to conform to the
security requirements outlined above. Generally, group access is enabled
to allow an unprivileged user to backup the database, and in that case the
backup software will not be able to read the certificate files and will
likely error.
</para>
<para>
If the private key is protected with a passphrase, the
server will prompt for the passphrase and will not start until it has

12
src/backend/bootstrap/bootstrap.c
View File

@ -349,13 +349,15 @@ AuxiliaryProcessMain(int argc, char *argv[])
proc_exit(1);
}
/* Validate we have been given a reasonable-looking DataDir */
Assert(DataDir);
ValidatePgVersion(DataDir);
/* Change into DataDir (if under postmaster, should be done already) */
/*
* Validate we have been given a reasonable-looking DataDir and change
* into it (if under postmaster, should be done already).
*/
if (!IsUnderPostmaster)
{
checkDataDir();
ChangeToDataDir();
}
/* If standalone, create lockfile for data directory */
if (!IsUnderPostmaster)

87
src/backend/postmaster/postmaster.c
View File

@ -391,7 +391,7 @@ static DNSServiceRef bonjour_sdref = NULL;
static void CloseServerPorts(int status, Datum arg);
static void unlink_external_pid_file(int status, Datum arg);
static void getInstallationPaths(const char *argv0);
static void checkDataDir(void);
static void checkControlFile(void);
static Port *ConnCreate(int serverFd);
static void ConnFree(Port *port);
static void reset_shared(int port);
@ -588,7 +588,12 @@ PostmasterMain(int argc, char *argv[])
IsPostmasterEnvironment = true;
/*
* for security, no dir or file created can be group or other accessible
* We should not be creating any files or directories before we check the
* data directory (see checkDataDir()), but just in case set the umask to
* the most restrictive (owner-only) permissions.
*
* checkDataDir() will reset the umask based on the data directory
* permissions.
*/
umask(PG_MODE_MASK_OWNER);
@ -877,6 +882,9 @@ PostmasterMain(int argc, char *argv[])
/* Verify that DataDir looks reasonable */
checkDataDir();
/* Check that pg_control exists */
checkControlFile();
/* And switch working directory into it */
ChangeToDataDir();
@ -1469,82 +1477,17 @@ getInstallationPaths(const char *argv0)
*/
}
/*
* Validate the proposed data directory
* Check that pg_control exists in the correct location in the data directory.
*
* No attempt is made to validate the contents of pg_control here. This is
* just a sanity check to see if we are looking at a real data directory.
*/
static void
checkDataDir(void)
checkControlFile(void)
{
char path[MAXPGPATH];
FILE *fp;
struct stat stat_buf;
Assert(DataDir);
if (stat(DataDir, &stat_buf) != 0)
{
if (errno == ENOENT)
ereport(FATAL,
(errcode_for_file_access(),
errmsg("data directory \"%s\" does not exist",
DataDir)));
else
ereport(FATAL,
(errcode_for_file_access(),
errmsg("could not read permissions of directory \"%s\": %m",
DataDir)));
}
/* eventual chdir would fail anyway, but let's test ... */
if (!S_ISDIR(stat_buf.st_mode))
ereport(FATAL,
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
errmsg("specified data directory \"%s\" is not a directory",
DataDir)));
/*
* Check that the directory belongs to my userid; if not, reject.
*
* This check is an essential part of the interlock that prevents two
* postmasters from starting in the same directory (see CreateLockFile()).
* Do not remove or weaken it.
*
* XXX can we safely enable this check on Windows?
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
if (stat_buf.st_uid != geteuid())
ereport(FATAL,
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
errmsg("data directory \"%s\" has wrong ownership",
DataDir),
errhint("The server must be started by the user that owns the data directory.")));
#endif
/*
* Check if the directory has group or world access. If so, reject.
*
* It would be possible to allow weaker constraints (for example, allow
* group access) but we cannot make a general assumption that that is
* okay; for example there are platforms where nearly all users
* customarily belong to the same group. Perhaps this test should be
* configurable.
*
* XXX temporarily suppress check when on Windows, because there may not
* be proper support for Unix-y file permissions. Need to think of a
* reasonable check to apply on Windows.
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))
ereport(FATAL,
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
errmsg("data directory \"%s\" has group or world access",
DataDir),
errdetail("Permissions should be u=rwx (0700).")));
#endif
/* Look for PG_VERSION before looking for pg_control */
ValidatePgVersion(DataDir);
snprintf(path, sizeof(path), "%s/global/pg_control", DataDir);

3
src/backend/tcop/postgres.c
View File

@ -3731,8 +3731,7 @@ PostgresMain(int argc, char *argv[],
* Validate we have been given a reasonable-looking DataDir (if under
* postmaster, assume postmaster did this already).
*/
Assert(DataDir);
ValidatePgVersion(DataDir);
checkDataDir();
/* Change into DataDir (if under postmaster, was done already) */
ChangeToDataDir();

9
src/backend/utils/init/globals.c
View File

@ -16,8 +16,11 @@
*
*-------------------------------------------------------------------------
*/
#include <sys/stat.h>
#include "postgres.h"
#include "common/file_perm.h"
#include "libpq/libpq-be.h"
#include "libpq/pqcomm.h"
#include "miscadmin.h"
@ -59,6 +62,12 @@ struct Latch *MyLatch;
*/
char *DataDir = NULL;
/*
* Mode of the data directory. The default is 0700 but may it be changed in
* checkDataDir() to 0750 if the data directory actually has that mode.
*/
int data_directory_mode = PG_DIR_MODE_OWNER;
char OutputFileName[MAXPGPATH]; /* debugging output file */
char my_exec_path[MAXPGPATH]; /* full path to my executable */

115
src/backend/utils/init/miscinit.c
View File

@ -88,6 +88,100 @@ SetDatabasePath(const char *path)
DatabasePath = MemoryContextStrdup(TopMemoryContext, path);
}
/*
* Validate the proposed data directory.
*
* Also initialize file and directory create modes and mode mask.
*/
void
checkDataDir(void)
{
struct stat stat_buf;
Assert(DataDir);
if (stat(DataDir, &stat_buf) != 0)
{
if (errno == ENOENT)
ereport(FATAL,
(errcode_for_file_access(),
errmsg("data directory \"%s\" does not exist",
DataDir)));
else
ereport(FATAL,
(errcode_for_file_access(),
errmsg("could not read permissions of directory \"%s\": %m",
DataDir)));
}
/* eventual chdir would fail anyway, but let's test ... */
if (!S_ISDIR(stat_buf.st_mode))
ereport(FATAL,
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
errmsg("specified data directory \"%s\" is not a directory",
DataDir)));
/*
* Check that the directory belongs to my userid; if not, reject.
*
* This check is an essential part of the interlock that prevents two
* postmasters from starting in the same directory (see CreateLockFile()).
* Do not remove or weaken it.
*
* XXX can we safely enable this check on Windows?
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
if (stat_buf.st_uid != geteuid())
ereport(FATAL,
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
errmsg("data directory \"%s\" has wrong ownership",
DataDir),
errhint("The server must be started by the user that owns the data directory.")));
#endif
/*
* Check if the directory has correct permissions. If not, reject.
*
* Only two possible modes are allowed, 0700 and 0750. The latter mode
* indicates that group read/execute should be allowed on all newly
* created files and directories.
*
* XXX temporarily suppress check when on Windows, because there may not
* be proper support for Unix-y file permissions. Need to think of a
* reasonable check to apply on Windows.
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
if (stat_buf.st_mode & PG_MODE_MASK_GROUP)
ereport(FATAL,
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
errmsg("data directory \"%s\" has invalid permissions",
DataDir),
errdetail("Permissions should be u=rwx (0700) or u=rwx,g=rx (0750).")));
#endif
/*
* Reset creation modes and mask based on the mode of the data directory.
*
* The mask was set earlier in startup to disallow group permissions on
* newly created files and directories. However, if group read/execute
* are present on the data directory then modify the create modes and mask
* to allow group read/execute on newly created files and directories and
* set the data_directory_mode GUC.
*
* Suppress when on Windows, because there may not be proper support for
* Unix-y file permissions.
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
SetDataDirectoryCreatePerm(stat_buf.st_mode);
umask(pg_mode_mask);
data_directory_mode = pg_dir_create_mode;
#endif
/* Check for PG_VERSION */
ValidatePgVersion(DataDir);
}
/*
* Set data directory, but make sure it's an absolute path. Use this,
* never set DataDir directly.
@ -829,7 +923,7 @@ CreateLockFile(const char *filename, bool amPostmaster,
/*
* Try to create the lock file --- O_EXCL makes this atomic.
*
* Think not to make the file protection weaker than 0600. See
* Think not to make the file protection weaker than 0600/0640. See
* comments below.
*/
fd = open(filename, O_RDWR | O_CREAT | O_EXCL, pg_file_create_mode);
@ -899,17 +993,14 @@ CreateLockFile(const char *filename, bool amPostmaster,
* implies that the existing process has a different userid than we
* do, which means it cannot be a competing postmaster. A postmaster
* cannot successfully attach to a data directory owned by a userid
* other than its own. (This is now checked directly in
* checkDataDir(), but has been true for a long time because of the
* restriction that the data directory isn't group- or
* world-accessible.) Also, since we create the lockfiles mode 600,
* we'd have failed above if the lockfile belonged to another userid
* --- which means that whatever process kill() is reporting about
* isn't the one that made the lockfile. (NOTE: this last
* consideration is the only one that keeps us from blowing away a
* Unix socket file belonging to an instance of Postgres being run by
* someone else, at least on machines where /tmp hasn't got a
* stickybit.)
* other than its own, as enforced in checkDataDir(). Also, since we
* create the lockfiles mode 0600/0640, we'd have failed above if the
* lockfile belonged to another userid --- which means that whatever
* process kill() is reporting about isn't the one that made the
* lockfile. (NOTE: this last consideration is the only one that
* keeps us from blowing away a Unix socket file belonging to an
* instance of Postgres being run by someone else, at least on
* machines where /tmp hasn't got a stickybit.)
*/
if (other_pid != my_pid && other_pid != my_p_pid &&
other_pid != my_gp_pid)

25
src/backend/utils/misc/guc.c
View File

@ -194,6 +194,7 @@ static void assign_application_name(const char *newval, void *extra);
static bool check_cluster_name(char **newval, void **extra, GucSource source);
static const char *show_unix_socket_permissions(void);
static const char *show_log_file_mode(void);
static const char *show_data_directory_mode(void);
/* Private functions in guc-file.l that need to be called from guc.c */
static ConfigVariable *ProcessConfigFileInternal(GucContext context,
@ -2044,6 +2045,21 @@ static struct config_int ConfigureNamesInt[] =
NULL, NULL, show_log_file_mode
},
{
{"data_directory_mode", PGC_INTERNAL, PRESET_OPTIONS,
gettext_noop("Mode of the data directory."),
gettext_noop("The parameter value is a numeric mode specification "
"in the form accepted by the chmod and umask system "
"calls. (To use the customary octal format the number "
"must start with a 0 (zero).)"),
GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
},
&data_directory_mode,
0700, 0000, 0777,
NULL, NULL, show_data_directory_mode
},
{
{"work_mem", PGC_USERSET, RESOURCES_MEM,
gettext_noop("Sets the maximum memory to be used for query workspaces."),
@ -10744,4 +10760,13 @@ show_log_file_mode(void)
return buf;
}
static const char *
show_data_directory_mode(void)
{
static char buf[12];
snprintf(buf, sizeof(buf), "%04o", data_directory_mode);
return buf;
}
#include "guc-file.c"

29
src/bin/initdb/initdb.c
View File

@ -1168,6 +1168,19 @@ setup_config(void)
"password_encryption = scram-sha-256");
}
/*
* If group access has been enabled for the cluster then it makes sense to
* ensure that the log files also allow group access. Otherwise a backup
* from a user in the group would fail if the log files were not
* relocated.
*/
if (pg_dir_create_mode == PG_DIR_MODE_GROUP)
{
conflines = replace_token(conflines,
"#log_file_mode = 0600",
"log_file_mode = 0640");
}
snprintf(path, sizeof(path), "%s/postgresql.conf", pg_data);
writefile(path, conflines);
@ -2312,6 +2325,7 @@ usage(const char *progname)
printf(_(" --auth-local=METHOD default authentication method for local-socket connections\n"));
printf(_(" [-D, --pgdata=]DATADIR location for this database cluster\n"));
printf(_(" -E, --encoding=ENCODING set default encoding for new databases\n"));
printf(_(" -g, --allow-group-access allow group read/execute on data directory\n"));
printf(_(" --locale=LOCALE set default locale for new databases\n"));
printf(_(" --lc-collate=, --lc-ctype=, --lc-messages=LOCALE\n"
" --lc-monetary=, --lc-numeric=, --lc-time=LOCALE\n"
@ -2883,8 +2897,13 @@ initialize_data_directory(void)
setup_signals();
/* Set dir/file mode mask */
umask(PG_MODE_MASK_OWNER);
/*
* Set mask based on requested PGDATA permissions. pg_mode_mask, and
* friends like pg_dir_create_mode, are set to owner-only by default and
* then updated if -g is passed in by calling SetDataDirectoryCreatePerm()
* when parsing our options (see above).
*/
umask(pg_mode_mask);
create_data_directory();
@ -3018,6 +3037,7 @@ main(int argc, char *argv[])
{"waldir", required_argument, NULL, 'X'},
{"wal-segsize", required_argument, NULL, 12},
{"data-checksums", no_argument, NULL, 'k'},
{"allow-group-access", no_argument, NULL, 'g'},
{NULL, 0, NULL, 0}
};
@ -3059,7 +3079,7 @@ main(int argc, char *argv[])
/* process command-line options */
while ((c = getopt_long(argc, argv, "dD:E:kL:nNU:WA:sST:X:", long_options, &option_index)) != -1)
while ((c = getopt_long(argc, argv, "dD:E:kL:nNU:WA:sST:X:g", long_options, &option_index)) != -1)
{
switch (c)
{
@ -3153,6 +3173,9 @@ main(int argc, char *argv[])
case 12:
str_wal_segment_size_mb = pg_strdup(optarg);
break;
case 'g':
SetDataDirectoryCreatePerm(PG_DIR_MODE_GROUP);
break;
default:
/* getopt_long already emitted a complaint */
fprintf(stderr, _("Try \"%s --help\" for more information.\n"),

20
src/bin/initdb/t/001_initdb.pl
View File

@ -4,9 +4,11 @@
use strict;
use warnings;
use Fcntl ':mode';
use File::stat qw{lstat};
use PostgresNode;
use TestLib;
use Test::More tests => 16;
use Test::More tests => 18;
my $tempdir = TestLib::tempdir;
my $xlogdir = "$tempdir/pgxlog";
@ -57,3 +59,19 @@ mkdir $datadir;
}
command_ok([ 'initdb', '-S', $datadir ], 'sync only');
command_fails([ 'initdb', $datadir ], 'existing data directory');
# Check group access on PGDATA
SKIP:
{
skip "unix-style permissions not supported on Windows", 2 if ($windows_os);
# Init a new db with group access
my $datadir_group = "$tempdir/data_group";
command_ok(
[ 'initdb', '-g', $datadir_group ],
'successful creation with group access');
ok(check_mode_recursive($datadir_group, 0750, 0640),
'check PGDATA permissions');
}

26
src/bin/pg_basebackup/pg_basebackup.c
View File

@ -2470,14 +2470,6 @@ main(int argc, char **argv)
}
#endif
/*
* Verify that the target directory exists, or create it. For plaintext
* backups, always require the directory. For tar backups, require it
* unless we are writing to stdout.
*/
if (format == 'p' || strcmp(basedir, "-") != 0)
verify_dir_is_empty_or_create(basedir, &made_new_pgdata, &found_existing_pgdata);
/* connection in replication mode to server */
conn = GetConnection();
if (!conn)
@ -2486,6 +2478,24 @@ main(int argc, char **argv)
exit(1);
}
/*
* Set umask so that directories/files are created with the same
* permissions as directories/files in the source data directory.
*
* pg_mode_mask is set to owner-only by default and then updated in
* GetConnection() where we get the mode from the server-side with
* RetrieveDataDirCreatePerm() and then call SetDataDirectoryCreatePerm().
*/
umask(pg_mode_mask);
/*
* Verify that the target directory exists, or create it. For plaintext
* backups, always require the directory. For tar backups, require it
* unless we are writing to stdout.
*/
if (format == 'p' || strcmp(basedir, "-") != 0)
verify_dir_is_empty_or_create(basedir, &made_new_pgdata, &found_existing_pgdata);
/* determine remote server's xlog segment size */
if (!RetrieveWalSegSize(conn))
disconnect_and_exit(1);

11
src/bin/pg_basebackup/pg_receivewal.c
View File

@ -19,6 +19,7 @@
#include <sys/stat.h>
#include <unistd.h>
#include "common/file_perm.h"
#include "libpq-fe.h"
#include "access/xlog_internal.h"
#include "getopt_long.h"
@ -703,6 +704,16 @@ main(int argc, char **argv)
if (!RunIdentifySystem(conn, NULL, NULL, NULL, &db_name))
disconnect_and_exit(1);
/*
* Set umask so that directories/files are created with the same
* permissions as directories/files in the source data directory.
*
* pg_mode_mask is set to owner-only by default and then updated in
* GetConnection() where we get the mode from the server-side with
* RetrieveDataDirCreatePerm() and then call SetDataDirectoryCreatePerm().
*/
umask(pg_mode_mask);
/* determine remote server's xlog segment size */
if (!RetrieveWalSegSize(conn))
disconnect_and_exit(1);

11
src/bin/pg_basebackup/pg_recvlogical.c
View File

@ -23,6 +23,7 @@
#include "streamutil.h"
#include "access/xlog_internal.h"
#include "common/file_perm.h"
#include "common/fe_memutils.h"
#include "getopt_long.h"
#include "libpq-fe.h"
@ -959,6 +960,16 @@ main(int argc, char **argv)
disconnect_and_exit(1);
}
/*
* Set umask so that directories/files are created with the same
* permissions as directories/files in the source data directory.
*
* pg_mode_mask is set to owner-only by default and then updated in
* GetConnection() where we get the mode from the server-side with
* RetrieveDataDirCreatePerm() and then call SetDataDirectoryCreatePerm().
*/
umask(pg_mode_mask);
/* Drop a replication slot. */
if (do_drop_slot)
{

76
src/bin/pg_basebackup/streamutil.c
View File

@ -23,6 +23,7 @@
#include "access/xlog_internal.h"
#include "common/fe_memutils.h"
#include "common/file_perm.h"
#include "datatype/timestamp.h"
#include "fe_utils/connect.h"
#include "port/pg_bswap.h"
@ -32,9 +33,16 @@
uint32 WalSegSz;
static bool RetrieveDataDirCreatePerm(PGconn *conn);
/* SHOW command for replication connection was introduced in version 10 */
#define MINIMUM_VERSION_FOR_SHOW_CMD 100000
/*
* Group access is supported from version 11.
*/
#define MINIMUM_VERSION_FOR_GROUP_ACCESS 110000
const char *progname;
char *connection_string = NULL;
char *dbhost = NULL;
@ -254,6 +262,16 @@ GetConnection(void)
exit(1);
}
/*
* Retrieve the source data directory mode and use it to construct a umask
* for creating directories and files.
*/
if (!RetrieveDataDirCreatePerm(tmpconn))
{
PQfinish(tmpconn);
exit(1);
}
return tmpconn;
}
@ -327,6 +345,64 @@ RetrieveWalSegSize(PGconn *conn)
return true;
}
/*
* RetrieveDataDirCreatePerm
*
* This function is used to determine the privileges on the server's PG data
* directory and, based on that, set what the permissions will be for
* directories and files we create.
*
* PG11 added support for (optionally) group read/execute rights to be set on
* the data directory. Prior to PG11, only the owner was allowed to have rights
* on the data directory.
*/
static bool
RetrieveDataDirCreatePerm(PGconn *conn)
{
PGresult *res;
int data_directory_mode;
/* check connection existence */
Assert(conn != NULL);
/* for previous versions leave the default group access */
if (PQserverVersion(conn) < MINIMUM_VERSION_FOR_GROUP_ACCESS)
return true;
res = PQexec(conn, "SHOW data_directory_mode");
if (PQresultStatus(res) != PGRES_TUPLES_OK)
{
fprintf(stderr, _("%s: could not send replication command \"%s\": %s\n"),
progname, "SHOW data_directory_mode", PQerrorMessage(conn));
PQclear(res);
return false;
}
if (PQntuples(res) != 1 || PQnfields(res) < 1)
{
fprintf(stderr,
_("%s: could not fetch group access flag: got %d rows and %d fields, expected %d rows and %d or more fields\n"),
progname, PQntuples(res), PQnfields(res), 1, 1);
PQclear(res);
return false;
}
if (sscanf(PQgetvalue(res, 0, 0), "%o", &data_directory_mode) != 1)
{
fprintf(stderr, _("%s: group access flag could not be parsed: %s\n"),
progname, PQgetvalue(res, 0, 0));
PQclear(res);
return false;
}
SetDataDirectoryCreatePerm(data_directory_mode);
PQclear(res);
return true;
}
/*
* Run IDENTIFY_SYSTEM through a given connection and give back to caller
* some result information if requested:

21
src/bin/pg_basebackup/t/010_pg_basebackup.pl
View File

@ -6,7 +6,7 @@ use File::Basename qw(basename dirname);
use File::Path qw(rmtree);
use PostgresNode;
use TestLib;
use Test::More tests => 105;
use Test::More tests => 106;
program_help_ok('pg_basebackup');
program_version_ok('pg_basebackup');
@ -44,10 +44,17 @@ $node->command_fails(
ok(!-d "$tempdir/backup", 'backup directory was cleaned up');
# Create a backup directory that is not empty so the next commnd will fail
# but leave the data directory behind
mkdir("$tempdir/backup")
or BAIL_OUT("unable to create $tempdir/backup");
append_to_file("$tempdir/backup/dir-not-empty.txt");
$node->command_fails([ 'pg_basebackup', '-D', "$tempdir/backup", '-n' ],
'failing run with no-clean option');
ok(-d "$tempdir/backup", 'backup directory was created and left behind');
rmtree("$tempdir/backup");
open my $conf, '>>', "$pgdata/postgresql.conf";
print $conf "max_replication_slots = 10\n";
@ -200,11 +207,17 @@ unlink "$pgdata/$superlongname";
# skip on Windows.
SKIP:
{
skip "symlinks not supported on Windows", 17 if ($windows_os);
skip "symlinks not supported on Windows", 18 if ($windows_os);
# Move pg_replslot out of $pgdata and create a symlink to it.
$node->stop;
# Set umask so test directories and files are created with group permissions
umask(0027);
# Enable group permissions on PGDATA
chmod_recursive("$pgdata", 0750, 0640);
rename("$pgdata/pg_replslot", "$tempdir/pg_replslot")
or BAIL_OUT "could not move $pgdata/pg_replslot";
symlink("$tempdir/pg_replslot", "$pgdata/pg_replslot")
@ -275,6 +288,10 @@ SKIP:
"tablespace symlink was updated");
closedir $dh;
# Group access should be enabled on all backup files
ok(check_mode_recursive("$tempdir/backup1", 0750, 0640),
"check backup dir permissions");
# Unlogged relation forks other than init should not be copied
my ($tblspc1UnloggedBackupPath) = $tblspc1UnloggedPath =~ /[^\/]*\/[^\/]*\/[^\/]*$/g;

12
src/bin/pg_ctl/pg_ctl.c
View File

@ -2171,7 +2171,7 @@ main(int argc, char **argv)
*/
argv0 = argv[0];
/* Set dir/file mode mask */
/* Set restrictive mode mask until PGDATA permissions are checked */
umask(PG_MODE_MASK_OWNER);
/* support --help and --version even if invoked as root */
@ -2407,6 +2407,16 @@ main(int argc, char **argv)
snprintf(version_file, MAXPGPATH, "%s/PG_VERSION", pg_data);
snprintf(pid_file, MAXPGPATH, "%s/postmaster.pid", pg_data);
snprintf(backup_file, MAXPGPATH, "%s/backup_label", pg_data);
/*
* Set mask based on PGDATA permissions,
*
* Don't error here if the data directory cannot be stat'd. This is
* handled differently based on the command and we don't want to
* interfere with that logic.
*/
if (GetDataDirectoryCreatePerm(pg_data))
umask(pg_mode_mask);
}
switch (ctl_command)

25
src/bin/pg_ctl/t/001_start_stop.pl
View File

@ -2,9 +2,11 @@ use strict;
use warnings;
use Config;
use Fcntl ':mode';
use File::stat qw{lstat};
use PostgresNode;
use TestLib;
use Test::More tests => 21;
use Test::More tests => 24;
my $tempdir = TestLib::tempdir;
my $tempdir_short = TestLib::tempdir_short;
@ -74,6 +76,27 @@ SKIP:
ok(check_mode_recursive("$tempdir/data", 0700, 0600));
}
# Log file for group access test
$logFileName = "$tempdir/data/perm-test-640.log";
SKIP:
{
skip "group access not supported on Windows", 3 if ($windows_os);
system_or_bail 'pg_ctl', 'stop', '-D', "$tempdir/data";
# Change the data dir mode so log file will be created with group read
# privileges on the next start
chmod_recursive("$tempdir/data", 0750, 0640);
command_ok(
[ 'pg_ctl', 'start', '-D', "$tempdir/data", '-l', $logFileName ],
'start server to check group permissions');
ok(-f $logFileName);
ok(check_mode_recursive("$tempdir/data", 0750, 0640));
}
command_ok([ 'pg_ctl', 'restart', '-D', "$tempdir/data" ],
'pg_ctl restart with server running');

10
src/bin/pg_resetwal/pg_resetwal.c
View File

@ -363,6 +363,16 @@ main(int argc, char *argv[])
exit(1);
}
/* Set mask based on PGDATA permissions */
if (!GetDataDirectoryCreatePerm(DataDir))
{
fprintf(stderr, _("%s: unable to read permissions from \"%s\"\n"),
progname, DataDir);
exit(1);
}
umask(pg_mode_mask);
/* Check that data directory matches our server version */
CheckDataVersion();

9
src/bin/pg_rewind/RewindTest.pm
View File

@ -115,11 +115,13 @@ sub check_query
sub setup_cluster
{
my $extra_name = shift;
my $extra_name = shift; # Used to differentiate clusters
my $extra = shift; # Extra params for initdb
# Initialize master, data checksums are mandatory
$node_master = get_new_node('master' . ($extra_name ? "_${extra_name}" : ''));
$node_master->init(allows_streaming => 1);
$node_master->init(
allows_streaming => 1, extra => $extra);
# Set wal_keep_segments to prevent WAL segment recycling after enforced
# checkpoints in the tests.
$node_master->append_conf('postgresql.conf', qq(
@ -237,7 +239,8 @@ sub run_pg_rewind
"$tmp_folder/master-postgresql.conf.tmp",
"$master_pgdata/postgresql.conf");
chmod(0600, "$master_pgdata/postgresql.conf")
chmod($node_master->group_access() ? 0640 : 0600,
"$master_pgdata/postgresql.conf")
or BAIL_OUT(
"unable to set permissions for $master_pgdata/postgresql.conf");

11
src/bin/pg_rewind/pg_rewind.c
View File

@ -24,6 +24,7 @@
#include "access/xlog_internal.h"
#include "catalog/catversion.h"
#include "catalog/pg_control.h"
#include "common/file_perm.h"
#include "common/restricted_token.h"
#include "getopt_long.h"
#include "storage/bufpage.h"
@ -185,6 +186,16 @@ main(int argc, char **argv)
exit(1);
}
/* Set mask based on PGDATA permissions */
if (!GetDataDirectoryCreatePerm(datadir_target))
{
fprintf(stderr, _("%s: unable to read permissions from \"%s\"\n"),
progname, datadir_target);
exit(1);
}
umask(pg_mode_mask);
/*
* Don't allow pg_rewind to be run as root, to avoid overwriting the
* ownership of files in the data directory. We need only check for root

13
src/bin/pg_rewind/t/002_databases.pl
View File

@ -1,7 +1,7 @@
use strict;
use warnings;
use TestLib;
use Test::More tests => 4;
use Test::More tests => 6;
use RewindTest;
@ -9,7 +9,7 @@ sub run_test
{
my $test_mode = shift;
RewindTest::setup_cluster($test_mode);
RewindTest::setup_cluster($test_mode, ['-g']);
RewindTest::start_master();
# Create a database in master.
@ -42,6 +42,15 @@ template1
),
'database names');
# Permissions on PGDATA should have group permissions
SKIP:
{
skip "unix-style permissions not supported on Windows", 1 if ($windows_os);
ok(check_mode_recursive($node_master->data_dir(), 0750, 0640),
'check PGDATA permissions');
}
RewindTest::clean_rewind_test();
}

12
src/bin/pg_upgrade/pg_upgrade.c
View File

@ -79,7 +79,7 @@ main(int argc, char **argv)
set_pglocale_pgservice(argv[0], PG_TEXTDOMAIN("pg_upgrade"));
/* Ensure that all files created by pg_upgrade are non-world-readable */
/* Set default restrictive mask until new cluster permissions are read */
umask(PG_MODE_MASK_OWNER);
parseCommandLine(argc, argv);
@ -100,6 +100,16 @@ main(int argc, char **argv)
check_cluster_compatibility(live_check);
/* Set mask based on PGDATA permissions */
if (!GetDataDirectoryCreatePerm(new_cluster.pgdata))
{
pg_log(PG_FATAL, "unable to read permissions from \"%s\"\n",
new_cluster.pgdata);
exit(1);
}
umask(pg_mode_mask);
check_and_dump_old_cluster(live_check);

16
src/bin/pg_upgrade/test.sh
View File

@ -20,9 +20,9 @@ unset MAKELEVEL
# Run a given "initdb" binary and overlay the regression testing
# authentication configuration.
standard_initdb() {
# To increase coverage of non-standard segment size without
# increase test runtime, run these tests with a lower setting.
"$1" -N --wal-segsize 1
# To increase coverage of non-standard segment size and group access
# without increasing test runtime, run these tests with a custom setting.
"$1" -N --wal-segsize 1 -g
if [ -n "$TEMP_CONFIG" -a -r "$TEMP_CONFIG" ]
then
cat "$TEMP_CONFIG" >> "$PGDATA/postgresql.conf"
@ -230,14 +230,14 @@ standard_initdb 'initdb'
pg_upgrade $PG_UPGRADE_OPTS -d "${PGDATA}.old" -D "${PGDATA}" -b "$oldbindir" -B "$bindir" -p "$PGPORT" -P "$PGPORT"
# make sure all directories and files have correct permissions
if [ $(find ${PGDATA} -type f ! -perm 600 | wc -l) -ne 0 ]; then
echo "files in PGDATA with permission != 600";
# make sure all directories and files have group permissions
if [ $(find ${PGDATA} -type f ! -perm 640 | wc -l) -ne 0 ]; then
echo "files in PGDATA with permission != 640";
exit 1;
fi
if [ $(find ${PGDATA} -type d ! -perm 700 | wc -l) -ne 0 ]; then
echo "directories in PGDATA with permission != 700";
if [ $(find ${PGDATA} -type d ! -perm 750 | wc -l) -ne 0 ]; then
echo "directories in PGDATA with permission != 750";
exit 1;
fi

72
src/common/file_perm.c
View File

@ -12,8 +12,76 @@
*/
#include <sys/stat.h>
#include "c.h"
#include "common/file_perm.h"
/* Modes for creating directories and files in the data directory */
int pg_dir_create_mode = PG_DIR_MODE_OWNER;
int pg_file_create_mode = PG_FILE_MODE_OWNER;
int pg_dir_create_mode = PG_DIR_MODE_OWNER;
int pg_file_create_mode = PG_FILE_MODE_OWNER;
/*
* Mode mask to pass to umask(). This is more of a preventative measure since
* all file/directory creates should be performed using the create modes above.
*/
int pg_mode_mask = PG_MODE_MASK_OWNER;
/*
* Set create modes and mask to use when writing to PGDATA based on the data
* directory mode passed. If group read/execute are present in the mode, then
* create modes and mask will be relaxed to allow group read/execute on all
* newly created files and directories.
*/
void
SetDataDirectoryCreatePerm(int dataDirMode)
{
/* If the data directory mode has group access */
if ((PG_DIR_MODE_GROUP & dataDirMode) == PG_DIR_MODE_GROUP)
{
pg_dir_create_mode = PG_DIR_MODE_GROUP;
pg_file_create_mode = PG_FILE_MODE_GROUP;
pg_mode_mask = PG_MODE_MASK_GROUP;
}
/* Else use default permissions */
else
{
pg_dir_create_mode = PG_DIR_MODE_OWNER;
pg_file_create_mode = PG_FILE_MODE_OWNER;
pg_mode_mask = PG_MODE_MASK_OWNER;
}
}
#ifdef FRONTEND
/*
* Get the create modes and mask to use when writing to PGDATA by examining the
* mode of the PGDATA directory and calling SetDataDirectoryCreatePerm().
*
* Errors are not handled here and should be reported by the application when
* false is returned.
*
* Suppress when on Windows, because there may not be proper support for Unix-y
* file permissions.
*/
bool
GetDataDirectoryCreatePerm(const char *dataDir)
{
#if !defined(WIN32) && !defined(__CYGWIN__)
struct stat statBuf;
/*
* If an error occurs getting the mode then return false. The caller is
* responsible for generating an error, if appropriate, indicating that we
* were unable to access the data directory.
*/
if (stat(dataDir, &statBuf) == -1)
return false;
/* Set permissions */
SetDataDirectoryCreatePerm(statBuf.st_mode);
return true;
#endif /* !defined(WIN32) && !defined(__CYGWIN__) */
}
#endif /* FRONTEND */

24
src/include/common/file_perm.h
View File

@ -21,14 +21,34 @@
*/
#define PG_MODE_MASK_OWNER (S_IRWXG | S_IRWXO)
/*
* Mode mask for data directory permissions that also allows group read/execute.
*/
#define PG_MODE_MASK_GROUP (S_IWGRP | S_IRWXO)
/* Default mode for creating directories */
#define PG_DIR_MODE_OWNER S_IRWXU
/* Mode for creating directories that allows group read/execute */
#define PG_DIR_MODE_GROUP (S_IRWXU | S_IRGRP | S_IXGRP)
/* Default mode for creating files */
#define PG_FILE_MODE_OWNER (S_IRUSR | S_IWUSR)
/* Mode for creating files that allows group read */
#define PG_FILE_MODE_GROUP (S_IRUSR | S_IWUSR | S_IRGRP)
/* Modes for creating directories and files in the data directory */
extern int pg_dir_create_mode;
extern int pg_file_create_mode;
extern int pg_dir_create_mode;
extern int pg_file_create_mode;
/* Mode mask to pass to umask() */
extern int pg_mode_mask;
/* Set permissions and mask based on the provided mode */
extern void SetDataDirectoryCreatePerm(int dataDirMode);
/* Set permissions and mask based on the mode of the data directory */
extern bool GetDataDirectoryCreatePerm(const char *dataDir);
#endif /* FILE_PERM_H */

2
src/include/miscadmin.h
View File

@ -153,6 +153,7 @@ extern PGDLLIMPORT bool IsBinaryUpgrade;
extern PGDLLIMPORT bool ExitOnAnyError;
extern PGDLLIMPORT char *DataDir;
extern PGDLLIMPORT int data_directory_mode;
extern PGDLLIMPORT int NBuffers;
extern PGDLLIMPORT int MaxBackends;
@ -323,6 +324,7 @@ extern void SetSessionAuthorization(Oid userid, bool is_superuser);
extern Oid GetCurrentRoleId(void);
extern void SetCurrentRoleId(Oid roleid, bool is_superuser);
extern void checkDataDir(void);
extern void SetDataDir(const char *dir);
extern void ChangeToDataDir(void);

27
src/test/perl/PostgresNode.pm
View File

@ -86,9 +86,11 @@ use Carp;
use Config;
use Cwd;
use Exporter 'import';
use Fcntl qw(:mode);
use File::Basename;
use File::Path qw(rmtree);
use File::Spec;
use File::stat qw(stat);
use File::Temp ();
use IPC::Run;
use RecursiveCopy;
@ -269,6 +271,26 @@ sub connstr
=pod
=item $node->group_access()
Does the data dir allow group access?
=cut
sub group_access
{
my ($self) = @_;
my $dir_stat = stat($self->data_dir);
defined($dir_stat)
or die('unable to stat ' . $self->data_dir);
return (S_IMODE($dir_stat->mode) == 0750);
}
=pod
=item $node->data_dir()
Returns the path to the data directory. postgresql.conf and pg_hba.conf are
@ -460,6 +482,9 @@ sub init
}
close $conf;
chmod($self->group_access ? 0640 : 0600, "$pgdata/postgresql.conf")
or die("unable to set permissions for $pgdata/postgresql.conf");
$self->set_replication_conf if $params{allows_streaming};
$self->enable_archiving if $params{has_archiving};
}
@ -485,7 +510,7 @@ sub append_conf
TestLib::append_to_file($conffile, $str . "\n");
chmod(0600, $conffile)
chmod($self->group_access() ? 0640 : 0600, $conffile)
or die("unable to set permissions for $conffile");
}

25
src/test/perl/TestLib.pm
View File

@ -31,6 +31,7 @@ our @EXPORT = qw(
slurp_file
append_to_file
check_mode_recursive
chmod_recursive
check_pg_config
system_or_bail
system_log
@ -313,6 +314,30 @@ sub check_mode_recursive
return $result;
}
# Change mode recursively on a directory
sub chmod_recursive
{
my ($dir, $dir_mode, $file_mode) = @_;
find
(
{follow_fast => 1,
wanted =>
sub
{
my $file_stat = stat($File::Find::name);
if (defined($file_stat))
{
chmod(S_ISDIR($file_stat->mode) ? $dir_mode : $file_mode,
$File::Find::name)
or die "unable to chmod $File::Find::name";
}
}},
$dir
);
}
# Check presence of a given regexp within pg_config.h for the installation
# where tests are running, returning a match status result depending on
# that.