Change backend-side COPY to write files with permissions 644 not 666

(whoever thought world-writable files were a good default????).  Modify
the pg_pwd code so that pg_pwd is created with 600 permissions.  Modify
initdb so that permissions on a pre-existing PGDATA directory are not
blindly accepted: if the dir is already there, it does chmod go-rwx
to be sure that the permissions are OK and the dir actually is owned
by postgres.

src/backend/commands/copy.c

@@ -6,7 +6,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/copy.c,v 1.89 1999/09/27 20:00:44 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/copy.c,v 1.90 1999/11/21 04:16:17 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -214,12 +214,12 @@ CopyDonePeek(FILE *fp, int c, int pickup)
 
 
 /*
- *	 DoCopy executes a the SQL COPY statement.
+ *	 DoCopy executes the SQL COPY statement.
  */
 
 void
 DoCopy(char *relname, bool binary, bool oids, bool from, bool pipe,
-	   char *filename, char *delim)
+	   char *filename, char *delim, int fileumask)
 {
 /*----------------------------------------------------------------------------
   Either unload or reload contents of class <relname>, depending on <from>.
@@ -234,6 +234,11 @@ DoCopy(char *relname, bool binary, bool oids, bool from, bool pipe,
 
   If in the text format, delimit columns with delimiter <delim>.
 
+  <fileumask> is the umask(2) setting to use while creating an output file.
+  This should usually be more liberal than the backend's normal 077 umask,
+  but not always (in particular, "pg_pwd" should be written with 077!).
+  Up through version 6.5, <fileumask> was always 000, which was foolhardy.
+
   When loading in the text format from an input stream (as opposed to
   a file), recognize a "." on a line by itself as EOF.	Also recognize
   a stream EOF.  When unloading in the text format to an output stream,
@@ -316,7 +321,7 @@ DoCopy(char *relname, bool binary, bool oids, bool from, bool pipe,
 			{
 				mode_t		oumask;		/* Pre-existing umask value */
 
-				oumask = umask((mode_t) 0);
+				oumask = umask((mode_t) fileumask);
 #ifndef __CYGWIN32__
 				fp = AllocateFile(filename, "w");
 #else

src/backend/commands/user.c

@@ -5,7 +5,7 @@
  *
  * Copyright (c) 1994, Regents of the University of California
  *
- * $Id: user.c,v 1.35 1999/09/27 16:44:50 momjian Exp $
+ * $Id: user.c,v 1.36 1999/11/21 04:16:16 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -20,6 +20,7 @@
 #include "catalog/catname.h"
 #include "catalog/pg_database.h"
 #include "catalog/pg_shadow.h"
+#include "commands/copy.h"
 #include "commands/user.h"
 #include "libpq/crypt.h"
 #include "miscadmin.h"
@@ -43,7 +44,7 @@ static void CheckPgUserAclNotNull(void);
  *---------------------------------------------------------------------
  */
 static void
-UpdatePgPwdFile(char *sql, CommandDest dest)
+UpdatePgPwdFile(void)
 {
 	char	   *filename,
 			   *tempname;
@@ -60,16 +61,22 @@ UpdatePgPwdFile(char *sql, CommandDest dest)
 	snprintf(tempname, bufsize, "%s.%d", filename, MyProcPid);
 
 	/*
-	 * Copy the contents of pg_shadow to the pg_pwd ASCII file using a the
-	 * SEPCHAR character as the delimiter between fields.  Then rename the
-	 * file to its final name.
+	 * Copy the contents of pg_shadow to the pg_pwd ASCII file using the
+	 * SEPCHAR character as the delimiter between fields.  Make sure the
+	 * file is created with mode 600 (umask 077).
+	 */
+	DoCopy(ShadowRelationName,	/* relname */
+		   false,				/* binary */
+		   false,				/* oids */
+		   false,				/* from */
+		   false,				/* pipe */
+		   tempname,			/* filename */
+		   CRYPT_PWD_FILE_SEPCHAR, /* delim */
+		   0077);				/* fileumask */
+	/*
+	 * And rename the temp file to its final name, deleting the old pg_pwd.
 	 */
-	snprintf(sql, SQL_LENGTH,
-			 "copy %s to '%s' using delimiters %s",
-			 ShadowRelationName, tempname, CRYPT_PWD_FILE_SEPCHAR);
-	pg_exec_query_dest(sql, dest, false);
 	rename(tempname, filename);
-	pfree((void *) tempname);
 
 	/*
 	 * Create a flag file the postmaster will detect the next time it
@@ -78,6 +85,8 @@ UpdatePgPwdFile(char *sql, CommandDest dest)
 	 */
 	filename = crypt_getpwdreloadfilename();
 	creat(filename, S_IRUSR | S_IWUSR);
+
+	pfree((void *) tempname);
 }
 
 /*---------------------------------------------------------------------
@@ -203,7 +212,7 @@ DefineUser(CreateUserStmt *stmt, CommandDest dest)
 	 * we can be sure no other backend will try to write the flat
 	 * file at the same time.
 	 */
-	UpdatePgPwdFile(sql, dest);
+	UpdatePgPwdFile();
 
 	/*
 	 * Now we can clean up.
@@ -313,7 +322,7 @@ AlterUser(AlterUserStmt *stmt, CommandDest dest)
 	 * we can be sure no other backend will try to write the flat
 	 * file at the same time.
 	 */
-	UpdatePgPwdFile(sql, dest);
+	UpdatePgPwdFile();
 
 	/*
 	 * Now we can clean up.
@@ -446,7 +455,7 @@ RemoveUser(char *user, CommandDest dest)
 	 * we can be sure no other backend will try to write the flat
 	 * file at the same time.
 	 */
-	UpdatePgPwdFile(sql, dest);
+	UpdatePgPwdFile();
 
 	/*
 	 * Now we can clean up.

src/backend/tcop/utility.c

@@ -9,7 +9,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/tcop/utility.c,v 1.71 1999/10/26 03:12:36 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/tcop/utility.c,v 1.72 1999/11/21 04:16:16 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -268,7 +268,11 @@ ProcessUtility(Node *parsetree,
 				 * than to/from a file.
 				 */
 					   stmt->filename,
-					   stmt->delimiter);
+					   stmt->delimiter,
+				/*
+				 * specify 022 umask while writing files with COPY.
+				 */
+					   0022);
 			}
 			break;
 

src/bin/initdb/initdb.sh

@@ -26,7 +26,7 @@
 #
 #
 # IDENTIFICATION
-#    $Header: /cvsroot/pgsql/src/bin/initdb/Attic/initdb.sh,v 1.61 1999/10/06 21:58:12 vadim Exp $
+#    $Header: /cvsroot/pgsql/src/bin/initdb/Attic/initdb.sh,v 1.62 1999/11/21 04:16:15 tgl Exp $
 #
 #-------------------------------------------------------------------------
 
@@ -293,6 +293,11 @@ else
         echo
         mkdir $PGDATA
         if [ $? -ne 0 ]; then exit 5; fi
+	else
+        echo "Fixing permissions on pre-existing $PGDATA"
+        echo
+		chmod go-rwx $PGDATA
+        if [ $? -ne 0 ]; then exit 5; fi
     fi
     if [ ! -d $PGDATA/base ]; then
         echo "Creating Postgres database system directory $PGDATA/base"
@@ -411,8 +416,11 @@ PGSQL_OPT="-o /dev/null -O -F -Q -D$PGDATA"
 echo "Vacuuming template1"
 echo "vacuum" | postgres $PGSQL_OPT template1 > /dev/null
 
+# Create the initial pg_pwd (flat-file copy of pg_shadow)
 echo "COPY pg_shadow TO '$PGDATA/pg_pwd' USING DELIMITERS '\\t'" | \
 	postgres $PGSQL_OPT template1 > /dev/null
+# An ordinary COPY will leave the file too loosely protected.
+chmod go-rw $PGDATA/pg_pwd
 
 echo "Creating public pg_user view"
 echo "CREATE TABLE pg_user (		\

src/include/commands/copy.h

@@ -6,7 +6,7 @@
  *
  * Copyright (c) 1994, Regents of the University of California
  *
- * $Id: copy.h,v 1.5 1999/02/13 23:21:18 momjian Exp $
+ * $Id: copy.h,v 1.6 1999/11/21 04:16:17 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -14,7 +14,7 @@
 #define COPY_H
 
 
-void DoCopy(char *relname, bool binary, bool oids, bool from, bool pipe, char *filename,
-	   char *delim);
+void DoCopy(char *relname, bool binary, bool oids, bool from, bool pipe,
+			char *filename, char *delim, int fileumask);
 
 #endif	 /* COPY_H */