Re: Securing "make check" (CVE-2014-0067)

YAMAMOTO Takashi <yamt@netbsd.org>

From: yamt@netbsd.org (YAMAMOTO Takashi)
To: noah@leadboat.com
Cc: bruce@momjian.us, tgl@sss.pgh.pa.us, pgsql-hackers@postgresql.org
Date: 2014-04-04T02:36:05Z
Lists: pgsql-hackers
> Thanks.  To avoid socket path length limitations, I lean toward placing the
> socket temporary directory under /tmp rather than placing under the CWD:
> 
> http://www.postgresql.org/message-id/flat/20121129223632.GA15016@tornado.leadboat.com

openvswitch has some tricks to overcome the socket path length
limitation using symlink.  (or procfs where available)
iirc these were introduced for debian builds which use deep CWD.

http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob;f=lib/socket-
util.c;h=aa0c7196da9926de38b7388b8e28ead12e12913e;hb=HEAD

look at shorten_name_via_symlink and shorten_name_via_proc.

YAMAMOTO Takashi


Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Have config_sspi_auth() permit IPv6 localhost connections.

  2. Lock down regression testing temporary clusters on Windows.

  3. Use a separate temporary directory for the Unix-domain socket

  4. Secure Unix-domain sockets of "make check" temporary clusters.