diff options
| author | Noah Misch <noah@leadboat.com> | 2015-09-20 20:42:27 -0400 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2015-09-20 20:42:44 -0400 |
| commit | 1be9d65e17abc6215a6faae9bc3f714dd3d040b6 (patch) | |
| tree | be63ed343264019c020778b69d4703d3e253c6cd /src | |
| parent | 3d3bc2905f2ed6a4858501031c086383be7bcf6a (diff) | |
| download | postgresql-1be9d65e17abc6215a6faae9bc3f714dd3d040b6.tar.gz postgresql-1be9d65e17abc6215a6faae9bc3f714dd3d040b6.zip | |
Restrict file mode creation mask during tmpfile().
Per Coverity. Back-patch to 9.0 (all supported versions).
Michael Paquier, reviewed (in earlier versions) by Heikki Linnakangas.
Diffstat (limited to 'src')
| -rw-r--r-- | src/bin/pg_dump/pg_backup_tar.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/bin/pg_dump/pg_backup_tar.c b/src/bin/pg_dump/pg_backup_tar.c index 8730c5ea914..532eacc066e 100644 --- a/src/bin/pg_dump/pg_backup_tar.c +++ b/src/bin/pg_dump/pg_backup_tar.c @@ -379,8 +379,18 @@ tarOpen(ArchiveHandle *AH, const char *filename, char mode) } else { + int old_umask; + tm = pg_malloc0(sizeof(TAR_MEMBER)); + /* + * POSIX does not require, but permits, tmpfile() to restrict file + * permissions. Given an OS crash after we write data, the filesystem + * might retain the data but forget tmpfile()'s unlink(). If so, the + * file mode protects confidentiality of the data written. + */ + old_umask = umask(S_IRWXG | S_IRWXO); + #ifndef WIN32 tm->tmpFH = tmpfile(); #else @@ -415,6 +425,8 @@ tarOpen(ArchiveHandle *AH, const char *filename, char mode) if (tm->tmpFH == NULL) exit_horribly(modulename, "could not generate temporary file name: %s\n", strerror(errno)); + umask(old_umask); + #ifdef HAVE_LIBZ if (AH->compression != 0) |