| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Noah Misch <noah(at)leadboat(dot)com> |
| Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Securing "make check" (CVE-2014-0067) |
| Date: | 2014-03-02 15:30:17 |
| Message-ID: | CABUevEzhcyAjW=FmFhGGR0Cct3JYq-532VK_yu5BcdooDrdptA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sun, Mar 2, 2014 at 6:20 AM, Noah Misch <noah(at)leadboat(dot)com> wrote:
> On Sat, Mar 01, 2014 at 05:51:46PM -0500, Andrew Dunstan wrote:
> > On 03/01/2014 05:10 PM, Tom Lane wrote:
> > >One other thought here: is it actually reasonable to expend a lot of
> effort
> > >on the Windows case? I'm not aware that people normally expect a
> Windows
> > >box to have multiple users at all, let alone non-mutually-trusting
> users.
> >
> > As Stephen said, it's fairly unusual. There are usually quite a few
> > roles, but it's rare to have more than one "human" type role
> > connected to the machine at a given time.
>
> I, too, agree it's rare. Rare enough to justify leaving the vulnerability
> open on Windows, indefinitely? I'd say not. Windows itself has been
> pushing
> steadily toward better multi-user support over the past 15 years or so.
> Releasing software for Windows as though it were a single-user platform is
> backwards-looking. We should be a model in this area, not a straggler.
>
Terminal Services have definitely become more common over time, but with
faster and cheaper virtualization, a lot of people have switched to that
instead, which would remove the problem of course.
I wonder how common it actually is, though, to *build postgres* on a
terminal services machine with other users on it...
Not saying we can't ignore it, and I gree that we should not be a straggler
on this, so doing a proper fix wwould definitely be the better.
> I'd be happy doing nothing in this case, or not very much. e.g.
> > provide a password but not with great cryptographic strength.
>
> One option that would simplify things is to fix only non-Windows in the
> back
> branches, via socket protection, and fix Windows in HEAD only. We could
> even
> do so by extending HAVE_UNIX_SOCKETS support to Windows through named
> pipes.
That could certainly be a useful feature of it's own. But as you say,
non-backpatchable.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2014-03-02 17:23:22 | Re: Securing "make check" (CVE-2014-0067) |
| Previous Message | Andres Freund | 2014-03-02 13:39:05 | heapgetpage() and ->takenDuringRecovery |