From: | Noah Misch <noah(at)leadboat(dot)com> |
---|---|
To: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net> |
Subject: | Re: Securing "make check" (CVE-2014-0067) |
Date: | 2014-03-04 15:09:27 |
Message-ID: | 20140304150927.GA3501472@tornado.leadboat.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sun, Mar 02, 2014 at 05:38:38PM -0500, Noah Misch wrote:
> Concerning the immediate fix for non-Windows systems, does any modern system
> ignore modes of Unix domain sockets? It appears to be a long-fixed problem:
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1402
> http://unix.stackexchange.com/questions/83032/which-systems-do-not-honor-socket-read-write-permissions
>
> Nonetheless, it would be helpful for folks to test any rare platforms they
> have at hand. Start a postmaster with --unix-socket-permissions=0000 and
> attempt to connect via local socket. If psql gives something other than
> "psql: could not connect to server: Permission denied", please report it.
Some results are in. Both Solaris 10 and omnios-6de5e81 (OmniOS v11 r151008)
ignore socket modes. That justifies wrapping the socket in a directory.
--
Noah Misch
EnterpriseDB http://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Teodor Sigaev | 2014-03-04 15:10:19 | Re: jsonb and nested hstore |
Previous Message | Tom Lane | 2014-03-04 15:06:54 | Re: plpgsql.warn_shadow |