Группа :: Базы Данных
Пакет: postgresql
навигация по пакетам
Главная Изменения Спек Патчи Загрузить Bugs and FR
Патч: postgresql-7.4-alt-chroot.patch
diff -Nur postgresql-7.4.orig/src/backend/main/main.c postgresql-7.4/src/backend/main/main.c
--- postgresql-7.4.orig/src/backend/main/main.c 2003-11-18 10:14:39 +0500
+++ postgresql-7.4/src/backend/main/main.c 2003-11-18 10:18:15 +0500
@@ -171,6 +171,12 @@
*/
if (geteuid() == 0)
{+ int j;
+
+ for ( j = 1; j < argc; ++j )
+ if ( !strcmp(argv[j], "-r") ) break;
+ if (j == argc)
+ {fprintf(stderr,
gettext("\"root\" execution of the PostgreSQL server is not permitted.\n""The server must be started under an unprivileged user ID to prevent\n"
@@ -178,6 +184,7 @@
"more information on how to properly start the server.\n"
));
exit(1);
+ }
}
#endif /* !__BEOS__ */
diff -Nur postgresql-7.4.orig/src/backend/po/ru.po postgresql-7.4/src/backend/po/ru.po
--- postgresql-7.4.orig/src/backend/po/ru.po 2003-11-18 10:14:39 +0500
+++ postgresql-7.4/src/backend/po/ru.po 2003-11-18 10:18:48 +0500
@@ -22,6 +22,10 @@
"Content-Type: text/plain; charset=koi8-r\n"
"Content-Transfer-Encoding: 8bit\n"
+#: ../postmaster/postmaster.c:931
+msgid " -r path Chroot daemon during startup\n"
+msgstr " -r ПУТЬ Директория для перехода сервера в chroot режим\n"
+
#: access/common/indextuple.c:57
#, c-format
msgid "number of index attributes %d exceeds limit, %d"
diff -Nur postgresql-7.4.orig/src/backend/postmaster/postmaster.c postgresql-7.4/src/backend/postmaster/postmaster.c
--- postgresql-7.4.orig/src/backend/postmaster/postmaster.c 2003-11-18 10:14:40 +0500
+++ postgresql-7.4/src/backend/postmaster/postmaster.c 2003-11-18 10:36:49 +0500
@@ -76,6 +76,7 @@
#include <arpa/inet.h>
#include <netdb.h>
#include <limits.h>
+#include <pwd.h>
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h>
@@ -144,6 +145,7 @@
int PostPortNumber;
char *UnixSocketDir;
char *VirtualHost;
+char *ChRootDir;
/*
* MaxBackends is the limit on the number of backends we can start.
@@ -259,7 +261,7 @@
/*
* postmaster.c - function prototypes
*/
-static void pmdaemonize(int argc, char *argv[]);
+static void pmdaemonize(int argc, char *argv[], int null_fd);
static Port *ConnCreate(int serverFd);
static void ConnFree(Port *port);
static void reset_shared(unsigned short port);
@@ -386,6 +388,7 @@
char original_extraoptions[MAXPGPATH];
char *potential_DataDir = NULL;
int i;
+ int null_fd;
*original_extraoptions = '\0';
@@ -438,17 +441,89 @@
MemoryContextSwitchTo(PostmasterContext);
IgnoreSystemIndexes(false);
+
/*
* Options setup
*/
InitializeGUCOptions();
+ opterr = 1;
+ optind = 1;
+ while ((opt = getopt(argc, argv, "A:a:B:b:c:D:d:Fh:ik:lm:MN:no:p:Ss-:r:")) != -1)
+ {+ switch (opt)
+ {+ case 'k':
+ SetConfigOption("unix_socket_directory", optarg, PGC_POSTMASTER, PGC_S_ARGV);+ break;
+
+ case 'r':
+ SetConfigOption("chroot_directory", optarg, PGC_POSTMASTER, PGC_S_ARGV);+ break;
+
+ case 'p':
+ SetConfigOption("port", optarg, PGC_POSTMASTER, PGC_S_ARGV);+ break;
+
+ case '?':
+ fprintf(stderr, gettext("Try '%s --help' for more information.\n"), progname);+ ExitPostmaster(1);
+ }
+ }
+
+ null_fd = open(NULL_DEV, O_RDWR | PG_BINARY);
+ if (null_fd < 0)
+ {+ fprintf (stderr, "%s: error opening null device: %s: %s\n", progname, NULL_DEV, strerror(errno));
+ ExitPostmaster(1);
+ }
+
+ if (ChRootDir && *ChRootDir)
+ {+ struct passwd *pw = getpwnam("postgres");+
+ if (!pw)
+ {+ fprintf (stderr, "%s: getpwnam(postgres): %s\n", progname, strerror(errno));
+ ExitPostmaster(1);
+ }
+ if (chroot(ChRootDir) < 0)
+ {+ fprintf (stderr, "%s: chroot:%s: %s\n", progname, ChRootDir, strerror(errno));
+ ExitPostmaster(1);
+ }
+ if (chdir( "/" ) < 0)
+ {+ fprintf (stderr, "%s: chdir: /: %s\n", progname, strerror(errno));
+ ExitPostmaster(1);
+ }
+ if (setgroups(0, NULL) < 0)
+ {+ fprintf (stderr, "%s: setgroups: %s\n", progname, strerror(errno));
+ ExitPostmaster(1);
+ }
+ if (setgid (pw->pw_gid) < 0)
+ {+ fprintf (stderr, "%s: setgid: %s\n", progname, strerror(errno));
+ ExitPostmaster(1);
+ }
+ if (setuid (pw->pw_uid) < 0)
+ {+ fprintf (stderr, "%s: setuid: %s\n", progname, strerror(errno));
+ ExitPostmaster(1);
+ }
+ }
+
potential_DataDir = getenv("PGDATA"); /* default value */opterr = 1;
- while ((opt = getopt(argc, argv, "A:a:B:b:c:D:d:Fh:ik:lm:MN:no:p:Ss-:")) != -1)
+ optind = 1; /* start over */
+#ifdef HAVE_INT_OPTRESET
+ optreset = 1;
+#endif
+ while ((opt = getopt(argc, argv, "A:a:B:b:c:D:d:Fh:ik:lm:MN:no:p:Ss-:r:")) != -1)
{switch (opt)
{@@ -493,7 +568,8 @@
SetConfigOption("tcpip_socket", "true", PGC_POSTMASTER, PGC_S_ARGV);break;
case 'k':
- SetConfigOption("unix_socket_directory", optarg, PGC_POSTMASTER, PGC_S_ARGV);+ case 'r':
+ /* already done above */
break;
#ifdef USE_SSL
case 'l':
@@ -530,7 +606,7 @@
strcpy(original_extraoptions, optarg);
break;
case 'p':
- SetConfigOption("port", optarg, PGC_POSTMASTER, PGC_S_ARGV);+ /* already done above */
break;
case 'S':
@@ -669,11 +745,12 @@
/*
* On some systems our dynloader code needs the executable's pathname.
*/
+#if 0
if (FindExec(pg_pathname, progname, "postgres") < 0)
ereport(FATAL,
(errmsg("%s: could not locate postgres executable",progname)));
-
+#endif
/*
* Initialize SSL library, if specified.
*/
@@ -701,7 +778,9 @@
* will show the wrong PID.
*/
if (SilentMode)
- pmdaemonize(argc, argv);
+ pmdaemonize(argc, argv, null_fd);
+ else
+ close (null_fd);
/*
* Create lockfile for data directory.
@@ -900,9 +979,8 @@
}
static void
-pmdaemonize(int argc, char *argv[])
-{- int i;
+pmdaemonize(int argc, char *argv[], int null_fd)
+ {pid_t pid;
#ifdef LINUX_PROFILE
@@ -944,11 +1022,18 @@
ExitPostmaster(1);
}
#endif
- i = open(NULL_DEV, O_RDWR | PG_BINARY);
- dup2(i, 0);
- dup2(i, 1);
- dup2(i, 2);
- close(i);
+ if (null_fd >= 0)
+ {+ int i;
+ for (i = 0; i <= 2; ++i)
+ if ((null_fd != i) && (dup2 (null_fd, i) != i))
+ {+ postmaster_error("dup2 (%d, %d): %s", null_fd, i, strerror(errno));+ ExitPostmaster(1);
+ }
+ if (null_fd > 2)
+ close (null_fd);
+ }
}
@@ -980,6 +1065,7 @@
printf(gettext(" -o OPTIONS pass \"OPTIONS\" to each server process\n")); printf(gettext(" -p PORT port number to listen on\n")); printf(gettext(" -S silent mode (start in background without logging output)\n"));+ printf(gettext(" -r path Chroot daemon during startup\n")); printf(gettext(" --help show this help, then exit\n")); printf(gettext(" --version output version information, then exit\n"));@@ -2945,8 +3031,10 @@
FILE *fp;
int i;
+#if 0
if (FindExec(fullprogname, argv[0], "postmaster") < 0)
return false;
+#endif
snprintf(filename, sizeof(filename), "%s/postmaster.opts", DataDir);
diff -Nur postgresql-7.4.orig/src/backend/tcop/postgres.c postgresql-7.4/src/backend/tcop/postgres.c
--- postgresql-7.4.orig/src/backend/tcop/postgres.c 2003-11-18 10:14:40 +0500
+++ postgresql-7.4/src/backend/tcop/postgres.c 2003-11-18 10:37:32 +0500
@@ -2594,11 +2594,12 @@
* On some systems our dynloader code needs the executable's
* pathname. (If under postmaster, this was done already.)
*/
+#if 0
if (FindExec(pg_pathname, argv[0], "postgres") < 0)
ereport(FATAL,
(errmsg("%s: could not locate postgres executable",argv[0])));
-
+#endif
/*
* Validate we have been given a reasonable-looking DataDir (if
* under postmaster, assume postmaster did this already).
diff -Nur postgresql-7.4.orig/src/backend/utils/misc/guc.c postgresql-7.4/src/backend/utils/misc/guc.c
--- postgresql-7.4.orig/src/backend/utils/misc/guc.c 2003-11-18 10:14:41 +0500
+++ postgresql-7.4/src/backend/utils/misc/guc.c 2003-11-18 10:39:01 +0500
@@ -1579,6 +1579,12 @@
XLOG_sync_method_default, assign_xlog_sync_method, NULL
},
+ {+ {"chroot_directory", PGC_POSTMASTER, UNGROUPED, "", NULL},+ &ChRootDir,
+ "", NULL, NULL
+ },
+
/* End-of-list marker */
{ {NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULLdiff -Nur postgresql-7.4.orig/src/include/miscadmin.h postgresql-7.4/src/include/miscadmin.h
--- postgresql-7.4.orig/src/include/miscadmin.h 2003-11-18 10:14:41 +0500
+++ postgresql-7.4/src/include/miscadmin.h 2003-11-18 10:37:58 +0500
@@ -202,6 +202,7 @@
extern char *Unix_socket_group;
extern char *UnixSocketDir;
extern char *VirtualHost;
+extern char *ChRootDir;
/*****************************************************************************