Re: Securing "make check" (CVE-2014-0067)
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Noah Misch <noah@leadboat.com>, Andrew Dunstan <andrew@dunslane.net>,
Magnus Hagander <magnus@hagander.net>,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2014-03-03T07:50:21Z
Lists: pgsql-hackers
* Tom Lane (tgl@sss.pgh.pa.us) wrote: > Noah Misch <noah@leadboat.com> writes: > > Concerning the immediate fix for non-Windows systems, does any modern system > > ignore modes of Unix domain sockets? It appears to be a long-fixed problem: > > What I was envisioning was that we'd be relying on the permissions of the > containing directory to keep out bad guys. Permissions on the socket > itself might be sufficient, but what does it save us to assume that? Agreed- the general approach to this, from what I've seen, is to handle it with the directory. Thanks, Stephen
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Have config_sspi_auth() permit IPv6 localhost connections.
- 8d9cb0bc4834 9.5.0 cited
-
Lock down regression testing temporary clusters on Windows.
- f6dc6dd5ba54 9.5.0 cited
-
Use a separate temporary directory for the Unix-domain socket
- f545d233ebce 9.5.0 cited
-
Secure Unix-domain sockets of "make check" temporary clusters.
- be76a6d39e28 9.5.0 cited