Re: Securing "make check" (CVE-2014-0067)
Noah Misch <noah@leadboat.com>
From: Noah Misch <noah@leadboat.com>
To: PostgreSQL-development <pgsql-hackers@postgresql.org>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Andrew Dunstan <andrew@dunslane.net>,
Magnus Hagander <magnus@hagander.net>
Date: 2014-03-04T15:09:27Z
Lists: pgsql-hackers
On Sun, Mar 02, 2014 at 05:38:38PM -0500, Noah Misch wrote: > Concerning the immediate fix for non-Windows systems, does any modern system > ignore modes of Unix domain sockets? It appears to be a long-fixed problem: > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1402 > http://unix.stackexchange.com/questions/83032/which-systems-do-not-honor-socket-read-write-permissions > > Nonetheless, it would be helpful for folks to test any rare platforms they > have at hand. Start a postmaster with --unix-socket-permissions=0000 and > attempt to connect via local socket. If psql gives something other than > "psql: could not connect to server: Permission denied", please report it. Some results are in. Both Solaris 10 and omnios-6de5e81 (OmniOS v11 r151008) ignore socket modes. That justifies wrapping the socket in a directory. -- Noah Misch EnterpriseDB http://www.enterprisedb.com
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Have config_sspi_auth() permit IPv6 localhost connections.
- 8d9cb0bc4834 9.5.0 cited
-
Lock down regression testing temporary clusters on Windows.
- f6dc6dd5ba54 9.5.0 cited
-
Use a separate temporary directory for the Unix-domain socket
- f545d233ebce 9.5.0 cited
-
Secure Unix-domain sockets of "make check" temporary clusters.
- be76a6d39e28 9.5.0 cited