database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-14 18:42:34 +03:00
Code Activity

Secure Unix-domain sockets of "make check" temporary clusters.

Browse Source 
Any OS user able to access the socket can connect as the bootstrap
superuser and proceed to execute arbitrary code as the OS user running
the test.  Protect against that by placing the socket in a temporary,
mode-0700 subdirectory of /tmp.  The pg_regress-based test suites and
the pg_upgrade test suite were vulnerable; the $(prove_check)-based test
suites were already secure.  Back-patch to 8.4 (all supported versions).
The hazard remains wherever the temporary cluster accepts TCP
connections, notably on Windows.

As a convenient side effect, this lets testing proceed smoothly in
builds that override DEFAULT_PGSOCKET_DIR.  Popular non-default values
like /var/run/postgresql are often unwritable to the build user.

Security: CVE-2014-0067
This commit is contained in:
Noah Misch
2014-06-14 09:41:13 -04:00
parent 598efaa37f
commit 6583a75b28
3 changed files with 143 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
doc/src/sgml/regress.sgml
View File

@ -58,21 +58,14 @@ make check
<warning>
<para>
This test method starts a temporary server, which is configured to accept
any connection originating on the local machine. Any local user can gain
database superuser privileges when connecting to this server, and could
in principle exploit all privileges of the operating-system user running
the tests. Therefore, it is not recommended that you use <literal>make
check</> on machines shared with untrusted users. Instead, run the tests
after completing the installation, as described in the next section.
</para>
<para>
On Unix-like machines, this danger can be avoided if the temporary
server's socket file is made inaccessible to other users, for example
by running the tests in a protected chroot. On Windows, the temporary
server opens a locally-accessible TCP socket, so filesystem protections
cannot help.
On systems lacking Unix-domain sockets, notably Windows, this test method
starts a temporary server configured to accept any connection originating
on the local machine. Any local user can gain database superuser
privileges when connecting to this server, and could in principle exploit
all privileges of the operating-system user running the tests. Therefore,
it is not recommended that you use <literal>make check</> on an affected
system shared with untrusted users. Instead, run the tests after
completing the installation, as described in the next section.
</para>
</warning>