From: | Noah Misch <noah(at)leadboat(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Securing "make check" (CVE-2014-0067) |
Date: | 2014-03-04 00:53:21 |
Message-ID: | 20140304005321.GB3477828@tornado.leadboat.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Mar 03, 2014 at 01:29:00AM -0500, Tom Lane wrote:
> Noah Misch <noah(at)leadboat(dot)com> writes:
> > Concerning the immediate fix for non-Windows systems, does any modern system
> > ignore modes of Unix domain sockets? It appears to be a long-fixed problem:
>
> What I was envisioning was that we'd be relying on the permissions of the
> containing directory to keep out bad guys. Permissions on the socket
> itself might be sufficient, but what does it save us to assume that?
My first preference is to use the simplest code that POSIX requires to have
the behavior we desire. POSIX specifies as implementation-defined whether
connect() checks filesystem permissions. That's true of both directory search
permissions and permissions on the socket itself. POSIX alone can't help us
here.
My second preference is to use the simplest code known to be portable to all
credible PostgreSQL target systems. Brief research was inconclusive, but it
turned up no solid evidence of a modern target ignoring socket permissions.
(It did turn up solid evidence of 15-year-old targets having that problem.) I
found no evidence either way concerning the prevalence of systems that ignore
directory search permissions above sockets.
I don't care for interposing a directory based solely on the fact that some
ancient systems needed that. Changing unix_socket_permissions is a one-liner
in each test driver. Placing the socket in a directory entails setting PGHOST
in the psql and postmaster environments and cleaning up the directory on exit.
That would be fine if restricted to pg_regress, but it would also show up in
contrib/pg_upgrade/test.sh, perhaps eventually in vcregress.pl:upgradecheck(),
perhaps in the buildfarm code, in the DBD::Pg test suite, and in any other
test suite that creates a temporary cluster. We should not lead all those
test drivers into using a temporary socket directory based on long-gone bugs
or cargo cult programming. If there are notable systems today where it helps,
that's a different matter.
Also, test drivers should not be the sole place where we express doubt about
the reliability of socket permissions. If they are unreliable on a noteworthy
target, then the unix_socket_permissions documentation ought to say so.
nm
--
Noah Misch
EnterpriseDB http://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Josh Berkus | 2014-03-04 00:57:09 | Re: jsonb and nested hstore |
Previous Message | Peter Geoghegan | 2014-03-04 00:50:51 | Re: jsonb and nested hstore |