Prevent pg_ctl from being run as root. Since it uses configuration files

owned by postgres, doing "pg_ctl start" as root could allow a privilege
escalation attack, as pointed out by iDEFENSE.  Of course the postmaster would
fail, but we ought to fail a little sooner to protect sysadmins unfamiliar
with Postgres.  The chosen fix is to disable root use of pg_ctl in all cases,
just to be confident there are no other holes.

diff --git a/src/bin/pg_ctl/pg_ctl.sh b/src/bin/pg_ctl/pg_ctl.sh
index 5bda173918599c3b1faca8740c6824181eddc82d..dc7376a7359fe3cc2653f347daaf67dcdc584b35 100755 (executable)
--- a/src/bin/pg_ctl/pg_ctl.sh
+++ b/src/bin/pg_ctl/pg_ctl.sh
@@ -111,6 +111,14 @@ fi
 
 po_path="$PGPATH/postmaster"
 
+if [ `$PGPATH/pg_id -u` -eq 0 ]
+then
+    echo "$CMDNAME: cannot be run as root" 1>&2
+    echo "Please log in (using, e.g., \"su\") as the (unprivileged) user that will" 1>&2
+    echo "own the server process." 1>&2
+    exit 1
+fi
+
 wait=
 wait_seconds=60
 logfile=