Re: Securing "make check" (CVE-2014-0067)
Christoph Berg <cb@df7cb.de>
From: Christoph Berg <cb@df7cb.de>
To: Bruce Momjian <bruce@momjian.us>, Noah Misch <noah@leadboat.com>,
pgsql-hackers@postgresql.org, Tom Lane <tgl@sss.pgh.pa.us>,
Peter Eisentraut <peter_e@gmx.net>
Date: 2014-07-11T09:40:09Z
Lists: pgsql-hackers
Attachments
- pg_upgrade_socket_in_tmp.patch (text/x-diff) patch
Re: To Bruce Momjian 2014-07-11 <20140711093923.GA3115@msg.df7cb.de> > Re: Bruce Momjian 2014-07-08 <20140708202114.GD9466@momjian.us> > > > > > I believe pg_upgrade itself still needs a fix. While it's not a > > > > > security problem to put the socket in $CWD while upgrading (it is > > > > > using -c unix_socket_permissions=0700), this behavior is pretty > > > > > unexpected, and does fail if your $CWD is > 107 bytes. > > > > > > > > > > In f545d233ebce6971b6f9847680e48b679e707d22 Peter fixed the pg_ctl > > > > > perl tests to avoid that problem, so imho it would make even more > > > > > sense to fix pg_upgrade which could also fail in production. > > > > > > > > +1. Does writing that patch interest you? > > > > > > I'll give it a try once I've finished this CF review. > > > > OK. Let me know if you need help. > > Here's the patch. Proposed commit message: > > Create pg_upgrade sockets in temp directories > > pg_upgrade used to use the current directory for UNIX sockets to > access the old/new cluster. This fails when the current path is > > 107 bytes. Fix by reusing the tempdir code from pg_regress > introduced in be76a6d39e2832d4b88c0e1cc381aa44a7f86881. For cleanup, > we need to remember up to two directories. Uh... now really. Christoph -- cb@df7cb.de | http://www.df7cb.de/
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Have config_sspi_auth() permit IPv6 localhost connections.
- 8d9cb0bc4834 9.5.0 cited
-
Lock down regression testing temporary clusters on Windows.
- f6dc6dd5ba54 9.5.0 cited
-
Use a separate temporary directory for the Unix-domain socket
- f545d233ebce 9.5.0 cited
-
Secure Unix-domain sockets of "make check" temporary clusters.
- be76a6d39e28 9.5.0 cited