Peter Eisentraut <peter_e@gmx.net> writes:
>> We want real uid
>> to become postgres as well --- otherwise our test to prevent execution
>> as root is a waste of time, because nefarious code could become root
>> again just by doing setuid. See the setuid man page: if real uid is
>> root then setuid(root) will succeed.
> That is a valid concern, but the code doesn't actually prevent this.
After reading the setuid man page a third time, I think you are right.
On machines that have setreuid(), or even better setresuid(), we could
force the ruid (and suid for good measure) to match euid. Otherwise we
probably should refuse to start unless getuid matches geteuid.
Hmm ... setresuid may be an HP-ism ... does anyone else have that?
setreuid appears to be a BSD-ism, so it ought to be reasonably popular.
regards, tom lane