| From: | David Rowley <dgrowleyml(at)gmail(dot)com> |
|---|---|
| To: | Noah Misch <noah(at)leadboat(dot)com> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Subject: | Re: Securing "make check" (CVE-2014-0067) |
| Date: | 2014-12-25 02:55:02 |
| Message-ID: | CAApHDvo20RrjizJ-8iXxLHUPeMkABP00uojLpe12uH7B4sNAwg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 30 November 2014 at 15:02, Noah Misch <noah(at)leadboat(dot)com> wrote:
> On Sun, Sep 21, 2014 at 02:31:15AM -0400, Noah Misch wrote:
> > It then dawned on me that every Windows build of PostgreSQL already has
> a way
> > to limit connections to a particular OS user. SSPI authentication is
> > essentially the Windows equivalent of peer authentication. A brief trial
> > thereof looked promising. Regression runs will need a pg_ident.conf
> listing
> > each role used in the regression tests. That's not ideal, but the
> buildfarm
> > will quickly reveal any omissions. Unless someone sees a problem here,
> I will
> > look at fleshing this out into a complete patch. I bet it will even
> turn out
> > to be back-patchable.
>
> That worked out nicely. "pg_regress --temp-install" rewrites pg_ident.conf
> and pg_hba.conf such that the current OS user may authenticate as the
> bootstrap superuser and as any user named in --create-role. Suites not
> using
> --temp-install (pg_upgrade, TAP) call "pg_regress --config-auth=DATADIR" to
> pick up those same configuration changes. My hope is that out-of-tree test
> harnesses wanting this hardening can do likewise. On non-Windows systems,
> "pg_regress --config-auth" does nothing.
>
>
>
f6dc6dd seems to have broken vcregress check for me:
D:\Postgres\a\src\tools\msvc>vcregress check
============== removing existing temp installation ==============
============== creating temporary installation ==============
============== initializing database system ==============
============== starting postmaster ==============
pg_regress: postmaster did not respond within 60 seconds
Examine D:/Postgres/a/src/test/regress/log/postmaster.log for the reason
The postmaster.log reads:
LOG: database system was shut down at 2014-12-25 15:26:33 NZDT
LOG: database system is ready to accept connections
LOG: autovacuum launcher started
FATAL: no pg_hba.conf entry for host "::1", user "David", database
"postgres"
...
FATAL: no pg_hba.conf entry for host "::1", user "David", database
"postgres"
Having a look at the pg_hba.conf that's been generated by pgregress, it
looks like it only adds a line for IPv4 addresses.
I'll admit that I don't have a great understanding of what the SSPI stuff
is about, but at least the attached patch seems to fix the problem for me.
Regards
David Rowley
| Attachment | Content-Type | Size |
|---|---|---|
| vcregress_ipv6_fix.diff | text/plain | 579 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2014-12-25 03:31:58 | Re: Securing "make check" (CVE-2014-0067) |
| Previous Message | Kouhei Kaigai | 2014-12-25 01:54:44 | Re: ctidscan as an example of custom-scan (Re: [v9.5] Custom Plan API) |