Replace chown by lchown where applicable
PostgreSQL's upstream init scripts have been found vulnerable to symlink attacks on the server log file (CVE-2017-12172). We don't use the upstream scripts, but inspection of pg_ctlcluster has shown that it is vulnerable to exactly the same problem. We fixed this problem previously via c8989206 (CVE-2016-1255), but the fix merely made the attack window smaller. We now use lchown instead of chown so a symlink put into place while pg_ctlcluster is running cannot be used to chown files elsewhere on the filesystem. In passing, apply the same fix to pg_createcluster and pg_upgradecluster as well.
parent
d09868b3
Please register or sign in to comment