Nuke docker.io
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
205
packages/docker/postgresql/allow-root.patch
Normal file
205
packages/docker/postgresql/allow-root.patch
Normal file
@@ -0,0 +1,205 @@
|
||||
diff --git a/src/backend/main/main.c b/src/backend/main/main.c
|
||||
index e8effe50242..2065061b5bb 100644
|
||||
--- a/src/backend/main/main.c
|
||||
+++ b/src/backend/main/main.c
|
||||
@@ -190,10 +190,6 @@ main(int argc, char *argv[])
|
||||
do_check_root = false;
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Make sure we are not running as root, unless it's safe for the selected
|
||||
- * option.
|
||||
- */
|
||||
if (do_check_root)
|
||||
check_root(progname);
|
||||
|
||||
@@ -445,41 +441,6 @@ help(const char *progname)
|
||||
static void
|
||||
check_root(const char *progname)
|
||||
{
|
||||
-#ifndef WIN32
|
||||
- if (geteuid() == 0)
|
||||
- {
|
||||
- write_stderr("\"root\" execution of the PostgreSQL server is not permitted.\n"
|
||||
- "The server must be started under an unprivileged user ID to prevent\n"
|
||||
- "possible system security compromise. See the documentation for\n"
|
||||
- "more information on how to properly start the server.\n");
|
||||
- exit(1);
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * Also make sure that real and effective uids are the same. Executing as
|
||||
- * a setuid program from a root shell is a security hole, since on many
|
||||
- * platforms a nefarious subroutine could setuid back to root if real uid
|
||||
- * is root. (Since nobody actually uses postgres as a setuid program,
|
||||
- * trying to actively fix this situation seems more trouble than it's
|
||||
- * worth; we'll just expend the effort to check for it.)
|
||||
- */
|
||||
- if (getuid() != geteuid())
|
||||
- {
|
||||
- write_stderr("%s: real and effective user IDs must match\n",
|
||||
- progname);
|
||||
- exit(1);
|
||||
- }
|
||||
-#else /* WIN32 */
|
||||
- if (pgwin32_is_admin())
|
||||
- {
|
||||
- write_stderr("Execution of PostgreSQL by a user with administrative permissions is not\n"
|
||||
- "permitted.\n"
|
||||
- "The server must be started under an unprivileged user ID to prevent\n"
|
||||
- "possible system security compromises. See the documentation for\n"
|
||||
- "more information on how to properly start the server.\n");
|
||||
- exit(1);
|
||||
- }
|
||||
-#endif /* WIN32 */
|
||||
}
|
||||
|
||||
/*
|
||||
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
|
||||
index 21a0fe3ecd9..2aa44cc9ab8 100644
|
||||
--- a/src/bin/initdb/initdb.c
|
||||
+++ b/src/bin/initdb/initdb.c
|
||||
@@ -815,15 +815,6 @@ get_id(void)
|
||||
{
|
||||
const char *username;
|
||||
|
||||
-#ifndef WIN32
|
||||
- if (geteuid() == 0) /* 0 is root's uid */
|
||||
- {
|
||||
- pg_log_error("cannot be run as root");
|
||||
- pg_log_error_hint("Please log in (using, e.g., \"su\") as the (unprivileged) user that will own the server process.");
|
||||
- exit(1);
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
username = get_user_name_or_exit(progname);
|
||||
|
||||
return pg_strdup(username);
|
||||
diff --git a/src/bin/pg_basebackup/pg_createsubscriber.c b/src/bin/pg_basebackup/pg_createsubscriber.c
|
||||
index a5a2d61165d..a4021734895 100644
|
||||
--- a/src/bin/pg_basebackup/pg_createsubscriber.c
|
||||
+++ b/src/bin/pg_basebackup/pg_createsubscriber.c
|
||||
@@ -1977,20 +1977,6 @@ main(int argc, char **argv)
|
||||
};
|
||||
opt.recovery_timeout = 0;
|
||||
|
||||
- /*
|
||||
- * Don't allow it to be run as root. It uses pg_ctl which does not allow
|
||||
- * it either.
|
||||
- */
|
||||
-#ifndef WIN32
|
||||
- if (geteuid() == 0)
|
||||
- {
|
||||
- pg_log_error("cannot be executed by \"root\"");
|
||||
- pg_log_error_hint("You must run %s as the PostgreSQL superuser.",
|
||||
- progname);
|
||||
- exit(1);
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
get_restricted_token();
|
||||
|
||||
while ((c = getopt_long(argc, argv, "d:D:np:P:s:t:TU:v",
|
||||
diff --git a/src/bin/pg_ctl/pg_ctl.c b/src/bin/pg_ctl/pg_ctl.c
|
||||
index 8a405ff122c..84195a3b8c6 100644
|
||||
--- a/src/bin/pg_ctl/pg_ctl.c
|
||||
+++ b/src/bin/pg_ctl/pg_ctl.c
|
||||
@@ -2235,7 +2235,6 @@ main(int argc, char **argv)
|
||||
/* Set restrictive mode mask until PGDATA permissions are checked */
|
||||
umask(PG_MODE_MASK_OWNER);
|
||||
|
||||
- /* support --help and --version even if invoked as root */
|
||||
if (argc > 1)
|
||||
{
|
||||
if (strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0)
|
||||
@@ -2250,21 +2249,6 @@ main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Disallow running as root, to forestall any possible security holes.
|
||||
- */
|
||||
-#ifndef WIN32
|
||||
- if (geteuid() == 0)
|
||||
- {
|
||||
- write_stderr(_("%s: cannot be run as root\n"
|
||||
- "Please log in (using, e.g., \"su\") as the "
|
||||
- "(unprivileged) user that will\n"
|
||||
- "own the server process.\n"),
|
||||
- progname);
|
||||
- exit(1);
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
env_wait = getenv("PGCTLTIMEOUT");
|
||||
if (env_wait != NULL)
|
||||
wait_seconds = atoi(env_wait);
|
||||
diff --git a/src/bin/pg_resetwal/pg_resetwal.c b/src/bin/pg_resetwal/pg_resetwal.c
|
||||
index 31bc0abff16..951de872d77 100644
|
||||
--- a/src/bin/pg_resetwal/pg_resetwal.c
|
||||
+++ b/src/bin/pg_resetwal/pg_resetwal.c
|
||||
@@ -347,22 +347,6 @@ main(int argc, char *argv[])
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Don't allow pg_resetwal to be run as root, to avoid overwriting the
|
||||
- * ownership of files in the data directory. We need only check for root
|
||||
- * -- any other user won't have sufficient permissions to modify files in
|
||||
- * the data directory.
|
||||
- */
|
||||
-#ifndef WIN32
|
||||
- if (geteuid() == 0)
|
||||
- {
|
||||
- pg_log_error("cannot be executed by \"root\"");
|
||||
- pg_log_error_hint("You must run %s as the PostgreSQL superuser.",
|
||||
- progname);
|
||||
- exit(1);
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
get_restricted_token();
|
||||
|
||||
/* Set mask based on PGDATA permissions */
|
||||
diff --git a/src/bin/pg_rewind/pg_rewind.c b/src/bin/pg_rewind/pg_rewind.c
|
||||
index 2ce99d06d1d..33e0a61c360 100644
|
||||
--- a/src/bin/pg_rewind/pg_rewind.c
|
||||
+++ b/src/bin/pg_rewind/pg_rewind.c
|
||||
@@ -270,22 +270,6 @@ main(int argc, char **argv)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Don't allow pg_rewind to be run as root, to avoid overwriting the
|
||||
- * ownership of files in the data directory. We need only check for root
|
||||
- * -- any other user won't have sufficient permissions to modify files in
|
||||
- * the data directory.
|
||||
- */
|
||||
-#ifndef WIN32
|
||||
- if (geteuid() == 0)
|
||||
- {
|
||||
- pg_log_error("cannot be executed by \"root\"");
|
||||
- pg_log_error_hint("You must run %s as the PostgreSQL superuser.",
|
||||
- progname);
|
||||
- exit(1);
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
get_restricted_token();
|
||||
|
||||
/* Set mask based on PGDATA permissions */
|
||||
diff --git a/src/bin/pg_upgrade/option.c b/src/bin/pg_upgrade/option.c
|
||||
index 188dd8d8a8b..cdd032be0fc 100644
|
||||
--- a/src/bin/pg_upgrade/option.c
|
||||
+++ b/src/bin/pg_upgrade/option.c
|
||||
@@ -104,10 +104,6 @@ parseCommandLine(int argc, char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
- /* Allow help and version to be run as root, so do the test here. */
|
||||
- if (os_user_effective_id == 0)
|
||||
- pg_fatal("%s: cannot be run as root", os_info.progname);
|
||||
-
|
||||
while ((option = getopt_long(argc, argv, "b:B:cd:D:j:kNo:O:p:P:rs:U:v",
|
||||
long_options, &optindex)) != -1)
|
||||
{
|
||||
Reference in New Issue
Block a user