Re: Securing "make check" (CVE-2014-0067)
Noah Misch <noah@leadboat.com>
From: Noah Misch <noah@leadboat.com>
To: Bruce Momjian <bruce@momjian.us>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-hackers@postgresql.org
Date: 2014-03-06T03:56:36Z
Lists: pgsql-hackers
On Tue, Mar 04, 2014 at 07:10:27PM -0500, Bruce Momjian wrote:
> On Sat, Mar 1, 2014 at 01:35:45PM -0500, Noah Misch wrote:
> > Having that said, I can appreciate the value of tightening the socket mode for
> > a bit of *extra* safety:
> >
> > --- a/src/test/regress/pg_regress.c
> > +++ b/src/test/regress/pg_regress.c
> > @@ -2299,4 +2299,5 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
> > fputs("\n# Configuration added by pg_regress\n\n", pg_conf);
> > fputs("max_prepared_transactions = 2\n", pg_conf);
> > + fputs("unix_socket_permissions = 0700\n", pg_conf);
>
> Pg_upgrade has this exact same problem, and take the same approach. You
> might want to look in pg_upgrade/server.c.
Thanks. To avoid socket path length limitations, I lean toward placing the
socket temporary directory under /tmp rather than placing under the CWD:
http://www.postgresql.org/message-id/flat/20121129223632.GA15016@tornado.leadboat.com
--
Noah Misch
EnterpriseDB http://www.enterprisedb.com
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Have config_sspi_auth() permit IPv6 localhost connections.
- 8d9cb0bc4834 9.5.0 cited
-
Lock down regression testing temporary clusters on Windows.
- f6dc6dd5ba54 9.5.0 cited
-
Use a separate temporary directory for the Unix-domain socket
- f545d233ebce 9.5.0 cited
-
Secure Unix-domain sockets of "make check" temporary clusters.
- be76a6d39e28 9.5.0 cited