Re: Securing "make check" (CVE-2014-0067)
Andrew Dunstan <andrew@dunslane.net>
From: Andrew Dunstan <andrew@dunslane.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Noah Misch <noah@leadboat.com>, Magnus Hagander <magnus@hagander.net>,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2014-03-02T20:12:27Z
Lists: pgsql-hackers
On 03/02/2014 01:27 PM, Tom Lane wrote:
> Also, to what extent does any of this affect buildfarm animals? Whatever
> we do for "make check" will presumably make those tests safe for them,
> but how are the postmasters they test under "make installcheck" set up?
>
Nothing special.
"bin/initdb" -U buildfarm --locale=$locale data-$locale
...
"bin/pg_ctl" -D data-$locale -l logfile -w start
We have wide control over what's done, just let me know what's wanted.
For example, it would be pretty simple to make it use a non-standard
socket directory and turn tcp connections off on Unix, or to set up
password auth for that matter, assuming we already have a strong password.
I generally assume that people aren't running buildfarm animals on
general purpose multi-user machines, but it might be as well to take
precautions.
cheers
andrew
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Have config_sspi_auth() permit IPv6 localhost connections.
- 8d9cb0bc4834 9.5.0 cited
-
Lock down regression testing temporary clusters on Windows.
- f6dc6dd5ba54 9.5.0 cited
-
Use a separate temporary directory for the Unix-domain socket
- f545d233ebce 9.5.0 cited
-
Secure Unix-domain sockets of "make check" temporary clusters.
- be76a6d39e28 9.5.0 cited