Re: Securing "make check" (CVE-2014-0067)

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Noah Misch <noah(at)leadboat(dot)com>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Securing "make check" (CVE-2014-0067)
Date: 2014-03-06 17:44:34
Message-ID: 28158.1394127874@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Noah Misch <noah(at)leadboat(dot)com> writes:
> Thanks. To avoid socket path length limitations, I lean toward placing the
> socket temporary directory under /tmp rather than placing under the CWD:

I'm not thrilled with that; it's totally insecure on platforms where /tmp
isn't "sticky", so it doesn't seem like an appropriate solution given
that this discussion is now being driven by security concerns.

> http://www.postgresql.org/message-id/flat/20121129223632(dot)GA15016(at)tornado(dot)leadboat(dot)com

I re-read that thread. While we did fix the reporting end of it, ie
the postmaster will now give you a clear failure message if your
socket path is too long, that's going to be cold comfort to anyone
who has to build in an environment they don't have much control over
(such as my still-hypothetical-I-hope scenario about Red Hat package
updates).

I'm inclined to suggest that we should put the socket under $CWD by
default, but provide some way for the user to override that choice.
If they want to put it in /tmp, it's on their head as to how secure
that is. On most modern platforms it'd be fine.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Merlin Moncure 2014-03-06 17:48:58 Re: jsonb and nested hstore
Previous Message Heikki Linnakangas 2014-03-06 17:28:35 Re: jsonb and nested hstore