Re: Securing "make check" (CVE-2014-0067)
Magnus Hagander <magnus@hagander.net>
From: Magnus Hagander <magnus@hagander.net>
To: Andrew Dunstan <andrew@dunslane.net>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Noah Misch <noah@leadboat.com>,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2014-03-01T18:20:52Z
Lists: pgsql-hackers
On Sat, Mar 1, 2014 at 7:09 PM, Andrew Dunstan <andrew@dunslane.net> wrote: > > On 03/01/2014 12:29 PM, Tom Lane wrote: > > >> In the case of Unix systems, there is a *far* simpler and more portable >> solution technique, which is to tell the test postmaster to put its socket >> in some non-world-accessible directory created by the test scaffolding. >> > > > +1 - I'm all for KISS. > > > >> Of course that doesn't work for Windows, which is why we looked at the >> random-password solution. But I wonder whether we shouldn't use the >> nonstandard-socket-location approach everywhere else, and only use random >> passwords on Windows. That would greatly reduce the number of cases to >> worry about for portability of the password-generation code; and perhaps >> we could also push the crypto issue into reliance on some Windows-supplied >> functionality (though I'm just speculating about that part). >> > > > See for example <http://msdn.microsoft.com/en-us/library/windows/desktop/ > aa379942%28v=vs.85%29.aspx> > For a one-off password used locally only, we could also consider just using a guid, and generate it using http://msdn.microsoft.com/en-us/library/windows/desktop/aa379205(v=vs.85).aspx. Obviously windows only though - do we have *any* Unix platforms that can't do unix sockets? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Have config_sspi_auth() permit IPv6 localhost connections.
- 8d9cb0bc4834 9.5.0 cited
-
Lock down regression testing temporary clusters on Windows.
- f6dc6dd5ba54 9.5.0 cited
-
Use a separate temporary directory for the Unix-domain socket
- f545d233ebce 9.5.0 cited
-
Secure Unix-domain sockets of "make check" temporary clusters.
- be76a6d39e28 9.5.0 cited