diff options
| author | Noah Misch <noah@leadboat.com> | 2015-09-20 20:42:27 -0400 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2015-09-20 20:42:50 -0400 |
| commit | 7496aba8085a21f8296f19b2e8f07e9723f946a5 (patch) | |
| tree | 0323710abdde19220f1b4fe9db076bb00a7a21fb /src | |
| parent | e32c5f118ec2da80fd76da1241dd721ceb3e9127 (diff) | |
| download | postgresql-7496aba8085a21f8296f19b2e8f07e9723f946a5.tar.gz postgresql-7496aba8085a21f8296f19b2e8f07e9723f946a5.zip | |
Restrict file mode creation mask during tmpfile().
Per Coverity. Back-patch to 9.0 (all supported versions).
Michael Paquier, reviewed (in earlier versions) by Heikki Linnakangas.
Diffstat (limited to 'src')
| -rw-r--r-- | src/bin/pg_dump/pg_backup_tar.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/bin/pg_dump/pg_backup_tar.c b/src/bin/pg_dump/pg_backup_tar.c index d6e78ceb1f1..2bcb9a810fe 100644 --- a/src/bin/pg_dump/pg_backup_tar.c +++ b/src/bin/pg_dump/pg_backup_tar.c @@ -380,8 +380,18 @@ tarOpen(ArchiveHandle *AH, const char *filename, char mode) } else { + int old_umask; + tm = pg_malloc0(sizeof(TAR_MEMBER)); + /* + * POSIX does not require, but permits, tmpfile() to restrict file + * permissions. Given an OS crash after we write data, the filesystem + * might retain the data but forget tmpfile()'s unlink(). If so, the + * file mode protects confidentiality of the data written. + */ + old_umask = umask(S_IRWXG | S_IRWXO); + #ifndef WIN32 tm->tmpFH = tmpfile(); #else @@ -416,6 +426,8 @@ tarOpen(ArchiveHandle *AH, const char *filename, char mode) if (tm->tmpFH == NULL) exit_horribly(modulename, "could not generate temporary file name: %s\n", strerror(errno)); + umask(old_umask); + #ifdef HAVE_LIBZ if (AH->compression != 0) |