Re: Securing "make check" (CVE-2014-0067)
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Noah Misch <noah@leadboat.com>, pgsql-hackers@postgresql.org
Date: 2014-03-01T21:53:56Z
Lists: pgsql-hackers
* Tom Lane (tgl@sss.pgh.pa.us) wrote: > In the case of Unix systems, there is a *far* simpler and more portable > solution technique, which is to tell the test postmaster to put its socket > in some non-world-accessible directory created by the test scaffolding. Yes, yes, yes. > Of course that doesn't work for Windows, which is why we looked at the > random-password solution. But I wonder whether we shouldn't use the > nonstandard-socket-location approach everywhere else, and only use random > passwords on Windows. That would greatly reduce the number of cases to > worry about for portability of the password-generation code; and perhaps > we could also push the crypto issue into reliance on some Windows-supplied > functionality (though I'm just speculating about that part). Multi-user Windows build systems are *far* more rare than unix equivilants (though even those are semi-rare in these days w/ all the VMs running around, but still, you may have University common unix systems with students building PG- the same just doesn't exist in my experience on the Windows side). Thanks, Stephen
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Have config_sspi_auth() permit IPv6 localhost connections.
- 8d9cb0bc4834 9.5.0 cited
-
Lock down regression testing temporary clusters on Windows.
- f6dc6dd5ba54 9.5.0 cited
-
Use a separate temporary directory for the Unix-domain socket
- f545d233ebce 9.5.0 cited
-
Secure Unix-domain sockets of "make check" temporary clusters.
- be76a6d39e28 9.5.0 cited