Re: Securing "make check" (CVE-2014-0067)

From: Noah Misch <noah(at)leadboat(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Andrew Dunstan <andrew(at)dunslane(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Securing "make check" (CVE-2014-0067)
Date: 2014-03-04 00:53:21
Message-ID: 20140304005321.GB3477828@tornado.leadboat.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Mon, Mar 03, 2014 at 01:29:00AM -0500, Tom Lane wrote:
> Noah Misch <noah(at)leadboat(dot)com> writes:
> > Concerning the immediate fix for non-Windows systems, does any modern system
> > ignore modes of Unix domain sockets? It appears to be a long-fixed problem:
>
> What I was envisioning was that we'd be relying on the permissions of the
> containing directory to keep out bad guys. Permissions on the socket
> itself might be sufficient, but what does it save us to assume that?

My first preference is to use the simplest code that POSIX requires to have
the behavior we desire. POSIX specifies as implementation-defined whether
connect() checks filesystem permissions. That's true of both directory search
permissions and permissions on the socket itself. POSIX alone can't help us
here.

My second preference is to use the simplest code known to be portable to all
credible PostgreSQL target systems. Brief research was inconclusive, but it
turned up no solid evidence of a modern target ignoring socket permissions.
(It did turn up solid evidence of 15-year-old targets having that problem.) I
found no evidence either way concerning the prevalence of systems that ignore
directory search permissions above sockets.

I don't care for interposing a directory based solely on the fact that some
ancient systems needed that. Changing unix_socket_permissions is a one-liner
in each test driver. Placing the socket in a directory entails setting PGHOST
in the psql and postmaster environments and cleaning up the directory on exit.
That would be fine if restricted to pg_regress, but it would also show up in
contrib/pg_upgrade/test.sh, perhaps eventually in vcregress.pl:upgradecheck(),
perhaps in the buildfarm code, in the DBD::Pg test suite, and in any other
test suite that creates a temporary cluster. We should not lead all those
test drivers into using a temporary socket directory based on long-gone bugs
or cargo cult programming. If there are notable systems today where it helps,
that's a different matter.

Also, test drivers should not be the sole place where we express doubt about
the reliability of socket permissions. If they are unreliable on a noteworthy
target, then the unix_socket_permissions documentation ought to say so.

nm

--
Noah Misch
EnterpriseDB http://www.enterprisedb.com

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Josh Berkus 2014-03-04 00:57:09 Re: jsonb and nested hstore
Previous Message Peter Geoghegan 2014-03-04 00:50:51 Re: jsonb and nested hstore