| From: | Juan José Santamaría Flecha <juanjo(dot)santamaria(at)gmail(dot)com> |
|---|---|
| To: | Thomas Munro <thomas(dot)munro(at)gmail(dot)com> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Using AF_UNIX sockets always for tests on Windows |
| Date: | 2023-01-16 12:05:12 |
| Message-ID: | CAC+AXB0VubLbhsuXkYb9aL5d5q3=w7kR1GFZmBp8bRJzj8gtFQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello,
On Fri, Dec 2, 2022 at 1:03 AM Thomas Munro <thomas(dot)munro(at)gmail(dot)com> wrote:
>
> 1. Teach mkdtemp() to make a non-world-accessible directory. This is
> required to be able to make a socket that other processes can't
> connect to, to match the paranoia level used on Unix. This was
> written just by reading documentation, because I am not a Windows
> user, so I would be grateful for a second opinion and/or testing from
> a Windows hacker, which would involve testing with two different
> users. The idea is that Windows' mkdir() is completely ignoring the
> permissions (we can see in the mingw headers that it literally throws
> away the mode argument), so we shouldn't use that, but native
> CreateDirectory() when given a pointer to a SECURITY_ATTRIBUTES with
> lpSecurityDesciptor set to NULL should only allow the current user to
> access the object (directory). Does this really work, and would it be
> better to create some more explicit private-keep-out
> SECURITY_ATTRIBUTE, and how would that look?
>
A directory created with a NULL SECURITY_ATTRIBUTES inherits the ACL from
its parent directory [1]. In this case, its parent is the designated
temporary location, which already should have a limited access.
You can create an explicit DACL for that directory, PFA a patch for so.
This is just an example, not something that I'm proposing as a committable
alternative.
I'm fairly sure that filesystem permissions must be enough to stop
> another OS user from connecting, because it's clear from documentation
> that AF_UNIX works on Windows by opening the file and reading some
> magic "reparse" data from inside it, so if you can't see into the
> containing directory, you can't do it. This patch is the one the rest
> are standing on, because the tests should match Unix in their level of
> security.
>
Yes, this is correct.
>
> Only the first patch is modified, but I'm including all of them so they go
through the cfbot.
[1]
https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea
Regards,
Juan José Santamaría Flecha
| Attachment | Content-Type | Size |
|---|---|---|
| v2-0004-Doc-Abstract-AF_UNIX-sockets-don-t-work-on-Windows-a.patch | application/octet-stream | 1.5 KB |
| v2-0003-WIP-Stop-using-TCP-in-TAP-tests-on-Windows.patch | application/octet-stream | 10.0 KB |
| v2-0002-WIP-Always-use-Unix-domain-sockets-in-pg_regress-on-.patch | application/octet-stream | 10.7 KB |
| v2-0001-WIP-Make-mkdtemp-more-secure-on-Windows.patch | application/octet-stream | 2.5 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2023-01-16 12:23:03 | Re: Rethinking the implementation of ts_headline() |
| Previous Message | Ranier Vilela | 2023-01-16 11:20:46 | Re: Small miscellaneus fixes (Part II) |