Re: Securing "make check" (CVE-2014-0067)

On Thu, Mar 06, 2014 at 12:44:34PM -0500, Tom Lane wrote:
> Noah Misch <noah(at)leadboat(dot)com> writes:
> > Thanks. To avoid socket path length limitations, I lean toward placing the
> > socket temporary directory under /tmp rather than placing under the CWD:
>
> I'm not thrilled with that; it's totally insecure on platforms where /tmp
> isn't "sticky", so it doesn't seem like an appropriate solution given
> that this discussion is now being driven by security concerns.
>
> > http://www.postgresql.org/message-id/flat/20121129223632(dot)GA15016(at)tornado(dot)leadboat(dot)com
>
> I re-read that thread. While we did fix the reporting end of it, ie
> the postmaster will now give you a clear failure message if your
> socket path is too long, that's going to be cold comfort to anyone
> who has to build in an environment they don't have much control over
> (such as my still-hypothetical-I-hope scenario about Red Hat package
> updates).
>
> I'm inclined to suggest that we should put the socket under $CWD by
> default, but provide some way for the user to override that choice.
> If they want to put it in /tmp, it's on their head as to how secure
> that is. On most modern platforms it'd be fine.

I am skeptical about the value of protecting systems with non-sticky /tmp, but
long $CWD isn't of great importance, either. I'm fine with your suggestion.
Though the $CWD or one of its parents could be world-writable, that would
typically mean an attacker could just replace the test cases directly.

--
Noah Misch
EnterpriseDB http://www.enterprisedb.com