start-scripts: switch to $PGUSER before opening $PGLOG.

By default, $PGUSER has permission to unlink $PGLOG. If $PGUSER replaces $PGLOG with a symbolic link, the server will corrupt the link-targeted file by appending log messages. Since these scripts open $PGLOG as root, the attack works regardless of target file ownership. "make install" does not install these scripts anywhere. Users having manually installed them in the past should repeat that process to acquire this fix. Most script users have $PGLOG writable to root only, located in $PGDATA. Just before updating one of these scripts, such users should rename $PGLOG to $PGLOG.old. The script will then recreate $PGLOG with proper ownership. Reviewed by Peter Eisentraut. Reported by Antoine Scemama. Security: CVE-2017-12172

start-scripts: switch to $PGUSER before opening $PGLOG.
6b0b983f · Noah Misch · 3f808957 · 6b0b983f · 6b0b983f · 6b0b983f
Commit 6b0b983f authored 7 years ago by Noah Misch
--- a/contrib/start-scripts/freebsd
+++ b/contrib/start-scripts/freebsd
@@ -43,7 +43,7 @@ test -x $DAEMON ||
 case $1 in
    start)
-	su -l $PGUSER -c "$DAEMON -D '$PGDATA' &" >>$PGLOG 2>&1
+	su -l $PGUSER -c "$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
 	echo -n ' postgresql'
 	;;
    stop)
@@ -51,7 +51,7 @@ case $1 in
 	;;
    restart)
 	su -l $PGUSER -c "$PGCTL stop -D '$PGDATA' -s"
-	su -l $PGUSER -c "$DAEMON -D '$PGDATA' &" >>$PGLOG 2>&1
+	su -l $PGUSER -c "$DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
 	;;
    status)
 	su -l $PGUSER -c "$PGCTL status -D '$PGDATA'"

--- a/contrib/start-scripts/linux
+++ b/contrib/start-scripts/linux
@@ -91,7 +91,7 @@ case $1 in
  start)
 	echo -n "Starting PostgreSQL: "
 	test -e "$PG_OOM_ADJUST_FILE" && echo "$PG_MASTER_OOM_SCORE_ADJ" > "$PG_OOM_ADJUST_FILE"
-	su - $PGUSER -c "$DAEMON_ENV $DAEMON -D '$PGDATA' &" >>$PGLOG 2>&1
+	su - $PGUSER -c "$DAEMON_ENV $DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
 	echo "ok"
 	;;
  stop)
@@ -103,7 +103,7 @@ case $1 in
 	echo -n "Restarting PostgreSQL: "
 	su - $PGUSER -c "$PGCTL stop -D '$PGDATA' -s"
 	test -e "$PG_OOM_ADJUST_FILE" && echo "$PG_MASTER_OOM_SCORE_ADJ" > "$PG_OOM_ADJUST_FILE"
-	su - $PGUSER -c "$DAEMON_ENV $DAEMON -D '$PGDATA' &" >>$PGLOG 2>&1
+	su - $PGUSER -c "$DAEMON_ENV $DAEMON -D '$PGDATA' >>$PGLOG 2>&1 &"
 	echo "ok"
 	;;
  reload)

--- a/contrib/start-scripts/osx/PostgreSQL
+++ b/contrib/start-scripts/osx/PostgreSQL
@@ -80,9 +80,9 @@ StartService () {
    if [ "${POSTGRESQL:=-NO-}" = "-YES-" ]; then
        ConsoleMessage "Starting PostgreSQL database server"
        if [ "${ROTATELOGS}" = "1" ]; then
-            sudo -u $PGUSER sh -c "${DAEMON} -D '${PGDATA}' &" 2>&1 | ${LOGUTIL} "${PGLOG}" ${ROTATESEC} &
+            sudo -u $PGUSER sh -c "${DAEMON} -D '${PGDATA}' 2>&1 | ${LOGUTIL} \"${PGLOG}\" ${ROTATESEC} &"
        else
-            sudo -u $PGUSER sh -c "${DAEMON} -D '${PGDATA}' &" >>"$PGLOG" 2>&1
+            sudo -u $PGUSER sh -c "${DAEMON} -D '${PGDATA}' >>\"$PGLOG\" 2>&1 &"
        fi
    fi
 }
@@ -99,9 +99,9 @@ RestartService () {
        sudo -u $PGUSER sh -c "$PGCTL stop -D '${PGDATA}' -s"
        # should match StartService:
        if [ "${ROTATELOGS}" = "1" ]; then
-            sudo -u $PGUSER sh -c "${DAEMON} -D '${PGDATA}' &" 2>&1 | ${LOGUTIL} "${PGLOG}" ${ROTATESEC} &
+            sudo -u $PGUSER sh -c "${DAEMON} -D '${PGDATA}' 2>&1 | ${LOGUTIL} \"${PGLOG}\" ${ROTATESEC} &"
        else
-            sudo -u $PGUSER sh -c "${DAEMON} -D '${PGDATA}' &" >>"$PGLOG" 2>&1
+            sudo -u $PGUSER sh -c "${DAEMON} -D '${PGDATA}' >>\"$PGLOG\" 2>&1 &"
        fi
    else
        StopService