Fix process startup in pg_rewind.

Don't allow pg_rewind to run as root on Unix platforms, as any new or replaced files in the data directory would become owned by root. On Windows, it can run under a user that has Administrator rights, but a restricted token needs to be used. This is the same we do e.g. in pg_resetxlog. Also, add missing set_pglocale_pgservice() call, to fix localization. Michael Paquier and Fujii Masao

Fix process startup in pg_rewind.
Don't allow pg_rewind to run as root on Unix platforms, as any new or replaced files in the data directory would become owned by root. On Windows, it can run under a user that has Administrator rights, but a restricted token needs to be used. This is the same we do e.g. in pg_resetxlog. Also, add missing set_pglocale_pgservice() call, to fix localization. Michael Paquier and Fujii Masao
8a06c36a · Heikki Linnakangas · 1cdf4d0b · 8a06c36a · 8a06c36a
Commit 8a06c36a authored Apr 07, 2015 by Heikki Linnakangas
Show whitespace changes
Inline Side-by-side

Showing with 18 additions and 1 deletion

src/bin/pg_rewind/nls.mk src/bin/pg_rewind/nls.mk +1 -1

src/bin/pg_rewind/pg_rewind.c src/bin/pg_rewind/pg_rewind.c +17 -0

No files found.
--- a/src/bin/pg_rewind/nls.mk
+++ b/src/bin/pg_rewind/nls.mk
 # src/bin/pg_rewind/nls.mk
 CATALOG_NAME     = pg_rewind
 AVAIL_LANGUAGES  =
-GETTEXT_FILES    = copy_fetch.c datapagemap.c fetch.c filemap.c libpq_fetch.c logging.c parsexlog.c pg_rewind.c timeline.c ../../common/fe_memutils.c ../../../src/backend/access/transam/xlogreader.c
+GETTEXT_FILES    = copy_fetch.c datapagemap.c fetch.c filemap.c libpq_fetch.c logging.c parsexlog.c pg_rewind.c timeline.c ../../common/fe_memutils.c ../../common/restricted_token.c ../../../src/backend/access/transam/xlogreader.c
 GETTEXT_TRIGGERS = pg_log pg_fatal report_invalid_record:2
 GETTEXT_FLAGS    = pg_log:2:c-format \

--- a/src/bin/pg_rewind/pg_rewind.c
+++ b/src/bin/pg_rewind/pg_rewind.c
@@ -24,6 +24,7 @@
 #include "access/xlog_internal.h"
 #include "catalog/catversion.h"
 #include "catalog/pg_control.h"
+#include "common/restricted_token.h"
 #include "getopt_long.h"
 #include "storage/bufpage.h"
@@ -102,6 +103,7 @@ main(int argc, char **argv)
 	TimeLineID	endtli;
 	ControlFileData ControlFile_new;
+	set_pglocale_pgservice(argv[0], PG_TEXTDOMAIN("pg_rewind"));
 	progname = get_progname(argv[0]);
 	/* Process command-line arguments */
@@ -174,6 +176,21 @@ main(int argc, char **argv)
 		exit(1);
 	}
+	/*
+	 * Don't allow pg_rewind to be run as root, to avoid overwriting the
+	 * ownership of files in the data directory. We need only check for root
+	 * -- any other user won't have sufficient permissions to modify files in
+	 * the data directory.
+	 */
+#ifndef WIN32
+	if (geteuid() == 0)
+		pg_fatal("cannot be executed by \"root\"\n"
+				 "You must run %s as the PostgreSQL superuser.\n",
+				 progname);
+#endif
+	get_restricted_token(progname);
 	/* Connect to remote server */
 	if (connstr_source)
 		libpqConnect(connstr_source);