Re: Securing "make check" (CVE-2014-0067)

From: Noah Misch <noah(at)leadboat(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>
Subject: Re: Securing "make check" (CVE-2014-0067)
Date: 2014-03-23 23:07:05
Message-ID: 20140323230705.GA4158378@tornado.leadboat.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Sun, Mar 23, 2014 at 07:04:20PM -0400, Noah Misch wrote:
> On Thu, Mar 06, 2014 at 11:52:22PM -0500, Noah Misch wrote:
> > On Thu, Mar 06, 2014 at 12:44:34PM -0500, Tom Lane wrote:
> > > I'm inclined to suggest that we should put the socket under $CWD by
> > > default, but provide some way for the user to override that choice.
> > > If they want to put it in /tmp, it's on their head as to how secure
> > > that is. On most modern platforms it'd be fine.
> >
> > I am skeptical about the value of protecting systems with non-sticky /tmp, but
> > long $CWD isn't of great importance, either. I'm fine with your suggestion.
> > Though the $CWD or one of its parents could be world-writable, that would
> > typically mean an attacker could just replace the test cases directly.
>
> Here's the patch. The temporary data directory makes for a convenient socket
> directory; initdb already gives it mode 0700, and we have existing
> arrangements to purge it when finished. One can override the socket directory
> by defining PG_REGRESS_SOCK_DIR in the environment.

And here's a documentation patch warning about the limited applicability of
unix_socket_permissions.

Attachment Content-Type Size
sockperm-doc-v1.patch text/plain 754 bytes

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Etsuro Fujita 2014-03-24 01:47:45 Re: inherit support for foreign tables
Previous Message Noah Misch 2014-03-23 23:04:20 Re: Securing "make check" (CVE-2014-0067)