From: | Noah Misch <noah(at)leadboat(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Securing "make check" (CVE-2014-0067) |
Date: | 2014-03-02 22:38:38 |
Message-ID: | 20140302223838.GA3446923@tornado.leadboat.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sun, Mar 02, 2014 at 01:27:18PM -0500, Tom Lane wrote:
> Noah Misch <noah(at)leadboat(dot)com> writes:
> > One option that would simplify things is to fix only non-Windows in the back
> > branches, via socket protection, and fix Windows in HEAD only. We could even
> > do so by extending HAVE_UNIX_SOCKETS support to Windows through named pipes.
>
> +1 for that solution, if it's not an unreasonable amount of work to add
> named-pipe sockets in Windows. That would offer a feature to Windows
> users that they didn't have before, ie the ability to restrict connections
> based on filesystem permissions; so it seems useful quite aside from any
> "make check" considerations.
Agreed. Windows named pipes do not go through the winsock API, so it might
take a good amount of muddle to achieve this. If it doesn't work out, we'll
revisit use of MD5 authentication for regression tests. Also, I'd be just as
happy for someone else to do the primary development on such a project.
Concerning the immediate fix for non-Windows systems, does any modern system
ignore modes of Unix domain sockets? It appears to be a long-fixed problem:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1402
http://unix.stackexchange.com/questions/83032/which-systems-do-not-honor-socket-read-write-permissions
Nonetheless, it would be helpful for folks to test any rare platforms they
have at hand. Start a postmaster with --unix-socket-permissions=0000 and
attempt to connect via local socket. If psql gives something other than
"psql: could not connect to server: Permission denied", please report it.
> There's an independent question of whether the regression tests will work
> for "make installcheck" against a server that's not set up for trust auth.
> I'm inclined to think that we can leave it to the user to generate
> appropriate passwords if he's using password auth, but don't we still
> need some test procedure adjustments?
Right. To have "make installcheck-world" work against a cluster requiring md5
authentication, I would use the makecheck-secure-v3.patch test suite changes.
I suppose that's a good thing to nail down, even if testing against md5 does
not become the norm.
--
Noah Misch
EnterpriseDB http://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Kyotaro HORIGUCHI | 2014-03-03 00:27:22 | Re: Hot standby doesn't come up on some situation. |
Previous Message | Magnus Hagander | 2014-03-02 22:36:41 | Re: Securing "make check" (CVE-2014-0067) |