Prevent running pg_basebackup as root

Similarly to pg_upgrade, pg_ctl and initdb, a root user is able to use
--version and --help, but cannot execute the actual operation to avoid
the creation of files with permissions incompatible with the
postmaster.

This is a behavior change, so not back-patching is done.

Author: Ian Barwick
Discussion: https://postgr.es/m/CABvVfJVqOdD2neLkYdygdOHvbWz_5K_iWiqY+psMfA=FeAa3qQ@mail.gmail.com

diff --git a/src/bin/pg_basebackup/pg_basebackup.c b/src/bin/pg_basebackup/pg_basebackup.c
index 238b671f7ae93a42136d22728c948840e79e5f77..556a0af91607c3bb0cef5815e6bffc6d19d22e01 100644 (file)
--- a/src/bin/pg_basebackup/pg_basebackup.c
+++ b/src/bin/pg_basebackup/pg_basebackup.c
@@ -2077,6 +2077,22 @@ main(int argc, char **argv)
                }
        }
 
+       /*
+        * Don't allow pg_basebackup to be run as root, to avoid creating files in
+        * the data directory with ownership rights incompatible with the
+        * postmaster.
+        */
+#ifndef WIN32
+       if (geteuid() == 0)                     /* 0 is root's uid */
+       {
+               pg_log_error("cannot be run as root");
+               fprintf(stderr,
+                               _("Please log in (using, e.g., \"su\") as the (unprivileged) user that will\n"
+                                 "own the server process.\n"));
+               exit(1);
+       }
+#endif
+
        atexit(cleanup_directories_atexit);
 
        while ((c = getopt_long(argc, argv, "CD:F:r:RS:T:X:l:nNzZ:d:c:h:p:U:s:wWkvP",