> > > > If you want to put in security restrictions that are actually useful,

> > > > where is the code to verify that PGPASSWORDFILE points at a > > > > non-world-readable file? That needs to be there now, not later, or > > > > we'll have people moaning about backward compatibility when we finally > > > > do plug that hole. Alvaro Herrera
2002-08-29 23:06:32 +00:00 · 2002-08-29 23:06:32 +00:00 · 40f2eec503
commit 40f2eec503
parent 9858a3a43f
1 changed files with 17 additions and 1 deletions
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-connect.c,v 1.198 2002/08/29 07:22:29 ishii Exp $
+ *	  $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-connect.c,v 1.199 2002/08/29 23:06:32 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -16,10 +16,12 @@
 #include "postgres_fe.h"

 #include <sys/types.h>
+#include <sys/stat.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <ctype.h>
 #include <time.h>
+#include <unistd.h>

 #include "libpq-fe.h"
 #include "libpq-int.h"
@ -2904,6 +2906,7 @@ PasswordFromFile(char *hostname, char *port, char *dbname,
 	FILE   *fp;
 #define LINELEN NAMEDATALEN*5
 	char	buf[LINELEN];
+	struct stat stat_buf;

 	if (pwdfile == NULL || strcmp(pwdfile, "") == 0)
 		return NULL;
@ -2920,6 +2923,19 @@ PasswordFromFile(char *hostname, char *port, char *dbname,
 	if (port == NULL)
 		port = DEF_PGPORT_STR;

+	/* If password file cannot be opened, ignore it. */
+	if (stat(pwdfile, &stat_buf) == -1)
+		return NULL;
+
+	/* If password file is insecure, alert the user and ignore it. */
+	if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))
+	{
+		fprintf(stderr,
+				libpq_gettext("WARNING: Password file %s has world or group read access; permission should be u=rw (0600)"),
+				pwdfile);
+		return NULL;
+	}
+
 	fp = fopen(pwdfile, "r");
 	if (fp == NULL)
 		return NULL;