diff options
| author | Noah Misch <noah@leadboat.com> | 2014-06-14 09:41:13 -0400 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2014-06-14 09:41:13 -0400 |
| commit | be76a6d39e2832d4b88c0e1cc381aa44a7f86881 (patch) | |
| tree | 778632223be19e4552e3f2dadefddb558807b4c0 /doc/src | |
| parent | 9e6b1bf258170e62dac555fc82ff0536dfe01d29 (diff) | |
| download | postgresql-be76a6d39e2832d4b88c0e1cc381aa44a7f86881.tar.gz postgresql-be76a6d39e2832d4b88c0e1cc381aa44a7f86881.zip | |
Secure Unix-domain sockets of "make check" temporary clusters.
Any OS user able to access the socket can connect as the bootstrap
superuser and proceed to execute arbitrary code as the OS user running
the test. Protect against that by placing the socket in a temporary,
mode-0700 subdirectory of /tmp. The pg_regress-based test suites and
the pg_upgrade test suite were vulnerable; the $(prove_check)-based test
suites were already secure. Back-patch to 8.4 (all supported versions).
The hazard remains wherever the temporary cluster accepts TCP
connections, notably on Windows.
As a convenient side effect, this lets testing proceed smoothly in
builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values
like /var/run/postgresql are often unwritable to the build user.
Security: CVE-2014-0067
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/regress.sgml | 23 |
1 files changed, 8 insertions, 15 deletions
diff --git a/doc/src/sgml/regress.sgml b/doc/src/sgml/regress.sgml index aee049a3d5a..13802e8f419 100644 --- a/doc/src/sgml/regress.sgml +++ b/doc/src/sgml/regress.sgml @@ -58,21 +58,14 @@ make check <warning> <para> - This test method starts a temporary server, which is configured to accept - any connection originating on the local machine. Any local user can gain - database superuser privileges when connecting to this server, and could - in principle exploit all privileges of the operating-system user running - the tests. Therefore, it is not recommended that you use <literal>make - check</> on machines shared with untrusted users. Instead, run the tests - after completing the installation, as described in the next section. - </para> - - <para> - On Unix-like machines, this danger can be avoided if the temporary - server's socket file is made inaccessible to other users, for example - by running the tests in a protected chroot. On Windows, the temporary - server opens a locally-accessible TCP socket, so filesystem protections - cannot help. + On systems lacking Unix-domain sockets, notably Windows, this test method + starts a temporary server configured to accept any connection originating + on the local machine. Any local user can gain database superuser + privileges when connecting to this server, and could in principle exploit + all privileges of the operating-system user running the tests. Therefore, + it is not recommended that you use <literal>make check</> on an affected + system shared with untrusted users. Instead, run the tests after + completing the installation, as described in the next section. </para> </warning> |